[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sample end entity certificate

To: "md@xxxxxxxx" <md@xxxxxxxx>, Russ Housley <housley@xxxxxxxxxxxx>
Subject: RE: Sample end entity certificate
From: Stefan Santesson <stefans@xxxxxxxxxxxxx>
Date: Fri, 2 Feb 2007 12:10:41 +0000
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
In-reply-to: <4234.84.240.23.130.1168824711.squirrel@xxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4234.84.240.23.130.1168824711.squirrel@xxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: Acc4T8PIQqcf3YzkS5SWFUDsVj+idQOcsJXg
Thread-topic: Sample end entity certificate

Inclusion of optional extensions are optional since they are situation dependent.
What can be recommended in one implementation may be totally redundant in another.

RFC 3280 is not designed to do implementation specific recommendations. For that purpose there are numerous certificate profile documents aimed at certain usages of PKI.
So what can be recommended in your case, can still be optional in the basic standard.

In this regard, the standard is correct.

Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-
> pkix@xxxxxxxxxxxx] On Behalf Of Moudrick M. Dadashov
> Sent: den 15 januari 2007 02:32
> To: Russ Housley
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Sample end entity certificate
>
>
> Russ,
>
> but RFC 2119 also does say:
>
> "OPTIONAL", mean that an item is truly optional. One vendor may choose
> to
> include the item because a particular marketplace requires it or
> because
> the vendor feels that it enhances the product while another vendor may
> omit the same item (section 5).
>
> and RFC 3280 also say both the "key usage" and "certificate policies"
> extensions are OPTIONAL
>
> Don't you think this is some how confusing?
>
> Thanks,
> M.D.
>
> > RFC 3280 does say:
> >
> >     Conforming CAs MUST support key identifiers (sections 4.2.1.1 and
> >     4.2.1.2), basic constraints (section 4.2.1.10), key usage
> (section
> >     4.2.1.3), and certificate policies (section 4.2.1.5) extensions.
> >
> > It does not seem to require that these be included in every
> > certificate that is issued, but looking further into these sections,
> > I find a MUST statement that is not supported by this certificate:
> >
> >  From section 4.2.1.1  (Authority Key Identifier):
> >
> >     The keyIdentifier field of the authorityKeyIdentifier extension
> MUST
> >     be included in all certificates generated by conforming CAs to
> >     facilitate certification path construction.
> >
> > I would encourage the CA to include key usage and certificate
> > policies extensions.
> >
> > Russ
> >
> > At 08:05 PM 1/9/2007, Moudrick M. Dadashov wrote:
> >>Hello,
> >>
> >>I'm attaching a sample end entity cetrificate that the issuing CA
> claims
> >>to be RFC 3280 compliant.
> >>
> >>The certificate at least MUST provide document signing functionality.
> >>
> >>Some of us say it's technically correct but has no legal purposes
> defined
> >>and therefore can't be used for test purposes only, while others say
> it's
> >>a universial one and can be used for all purposes.
> >>
> >>Any comments are highly appreciated.
> >>
> >>Thank you for your time,
> >>M.D.
> >
> >
>

References:
- Re: Sample end entity certificate
  - From: Moudrick M. Dadashov

Prev by Date: Re: asn.1 modules in 3280bis
Next by Date: Roadmap Projects Coding Module
Previous by thread: Re: Sample end entity certificate
Next by thread: Sports certain age forbook
Index(es):
- Date
- Thread