RE: What is the order of certificates in a certificate chain?

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

Agree with all 3.  However, a CPS may require acceptance
actions that are not required by the CMP technical
specification.

If the CPS requires the EE's UA to validate EE's certificate
as a condition of acceptance, the UA will need sufficient
information from some source to perform the validation.
CMP, or PKIX operational protocols, or offline operations
could provide that information.

It's up to an accrediting body, not the IETF, to determine
if all accreditable CPSs must require (2).

Dave



> From: Peter Williams <peterw@valicert.com>
> 
> Alex,
> 
> We have seemingly cleared up or determined
> three technical points from the discussion. Do
> say if any description below is not
> correct - in your view.
> 
> (1) a CMP responder does not need to send any
> particular cert path to the subscriber, when
> returning the EE cert for EE acceptance. The UA
> should not assume presence of any particular
> certs, including the CA cert or any superior
> certs in the domain's trust network, in the 
> message field in discussion. Futhermore, any
> certs that are sent are in bag order.
> 
> (2) According to CMP designers, the UA does not
> need to verify the signature of the 
> EE certificate upon initial receipt (which
> in many enrollment circumstances will constitute the
> moment of making an acceptance determination.) Such
> UA does not therefore need any certificate
> paths or CRLs ( or othe status source) at that 
> point in time.
> 
> (3) CMP's CRL retrieval service is not meant
> to be a PKIX operational protocol. It is not
> clear if a conforming CMP implementation and CA
> will provide this facility.
> 
> Peter.