[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cert chain validation

To: "'Russ Housley'" <housley@xxxxxxxxxx>
Subject: RE: Cert chain validation
From: "Meggison, Tim" <tim.meggison@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Feb 2000 11:06:14 -0500
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

If the policy extensions in all the certs are marked non-critical, is it
valid for a Relying Party to ignore the policy extensions during path
validation, but still display any associated User Notices?

-----Original Message-----
From: Russ Housley [mailto:housley@spyrus.com]
Sent: Tuesday, February 22, 2000 10:19 AM
To: Meggison, Tim
Cc: 'ietf-pkix@imc.org'
Subject: Re: Cert chain validation


Tim:

OIDs are not intended to have any semantics derived from their structure. 
The only appropriate operation is exact-match.  Given this, the chain you 
provide should be considered invalid.

Russ

At 05:36 PM 02/21/2000 -0500, Meggison, Tim wrote:
>Suppose I have a certificate chain consisting of a Root, a CA and a User
>certificate.
>
>The policy extension in the Root certificate contains one oid of 1.2.4.
>The policy extension in the CA certificate contains one oid of 1.2.4.
>The policy extension in the User certificate contains one oid of 1.2.4.1.
>
>Assuming all other data is valid, is this a valid certificate chain?
>
>It appears to me that the algorithm defined in draft-ietf-pkix-new-part1-00
>would determine that this certificate path is invalid.  And the way to
>correct it would be to add a policy mapping to the CA certificate for the
>oid 1.2.4.1.
>
>Is the policy mapping necessary  in a closed-community, if the Relying
Party
>trusts all certs issued with a policy oid of 1.2.4 and all certs issued
with
>a policy oid of 1.2.4.1?

Prev by Date: Re: Cert chain validation
Next by Date: Diffie-Hellman DomainParameters question
Previous by thread: Re: Cert chain validation
Next by thread: RE: Timestamp: 05: LAST CALL - editorial corrections
Index(es):
- Date
- Thread