[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA=True for an OCSP certficat

To: pkix <ietf-pkix@xxxxxxx>
Subject: Re: CA=True for an OCSP certficat
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Fri, 04 Apr 2008 10:00:19 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47F3657A.90402@xxxxxxxxxx> <> <47F4AFFA.20503@xxxxxxxxxx> <FAD1CF17F2A45B43ADE04E140BA83D484ACC6C@xxxxxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008033101 SeaMonkey/2.0a1pre


Stephen Kent wrote:

I was not looking at the validation algorithm, but rather at ourdefinitions of extensions.I think it is very unfortunate to have a mismatch between the two, asyou describe.
What do others think?

I think the mismatch between the two is by design : Be lenient in whatyou accept, strict in what you produce.

The validation algorithm defines what RFC 3280 accepts, the rest of thetext what it produces, and it would be good to write this explicitlysomewhere so that there's no confusion.Especially this mean the validation algorithm should not be used areference text to help define the certificate format of RFC 3280.

Follow-Ups:
- RE: CA=True for an OCSP certficat
  - From: Santosh Chokhani

References:
- CA=True for an OCSP certficat
  - From: Peter Sylvester
- Re: CA=True for an OCSP certficat
  - From: Stephen Kent
- Re: CA=True for an OCSP certficat
  - From: Peter Sylvester
- RE: CA=True for an OCSP certficat
  - From: Santosh Chokhani
- RE: CA=True for an OCSP certficat
  - From: Stephen Kent

Prev by Date: RE: CA=True for an OCSP certficat
Next by Date: Re: CA=True for an OCSP certficat
Previous by thread: RE: CA=True for an OCSP certficat
Next by thread: RE: CA=True for an OCSP certficat
Index(es):
- Date
- Thread