[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cert chain validation

To: "Meggison, Tim" <tim.meggison@xxxxxxxxxxxxxxxxxx>
Subject: Re: Cert chain validation
From: Russ Housley <housley@xxxxxxxxxx>
Date: Tue, 22 Feb 2000 10:19:25 -0500
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
In-reply-to: <>

Tim:

OIDs are not intended to have any semantics derived from their structure. The only appropriate operation is exact-match. Given this, the chain you provide should be considered invalid.

Russ

At 05:36 PM 02/21/2000 -0500, Meggison, Tim wrote:

Suppose I have a certificate chain consisting of a Root, a CA and a User
certificate.

The policy extension in the Root certificate contains one oid of 1.2.4.
The policy extension in the CA certificate contains one oid of 1.2.4.
The policy extension in the User certificate contains one oid of 1.2.4.1.

Assuming all other data is valid, is this a valid certificate chain?

It appears to me that the algorithm defined in draft-ietf-pkix-new-part1-00
would determine that this certificate path is invalid.  And the way to
correct it would be to add a policy mapping to the CA certificate for the
oid 1.2.4.1.

Is the policy mapping necessary  in a closed-community, if the Relying Party
trusts all certs issued with a policy oid of 1.2.4 and all certs issued with
a policy oid of 1.2.4.1?

References:
- Cert chain validation
  - From: Meggison, Tim

Prev by Date: RE: using more than one public key
Next by Date: RE: Cert chain validation
Previous by thread: Cert chain validation
Next by thread: RE: Cert chain validation
Index(es):
- Date
- Thread