[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TSA draft V7.0

To: Denis.Pinkas@xxxxxxxx
Subject: TSA draft V7.0
From: Michael Zolotarev <mzolotarev@xxxxxxxxxxxxx>
Date: Fri, 28 Apr 2000 11:35:05 +1000
Cc: PKIX mailing group <ietf-pkix@xxxxxxx>

Denis,
 
Something I've just noticed in the draft, which skipped my attention before:
 
The TSA draft defines how the AIA extension can be used in the TSA
certificate. 
***
A TSA's certificate MAY contain an Authority Information Access extension
[RFC2459] in order to convey the method of contacting the TSA. The
accessMethod field in this extension MUST contain the OID
id-ad-timestamping:
***
 
The definition actually contradicts to the 2459 profile which says:
 
***
The authority information access extension indicates how to access CA
information and services FOR THE ISSUER OF THE CERTIFICATE in which the
extension appears. Information and services may include on-line validation
services and CA policy data. 
****

Note the "FOR THE ISSUER OF THE CERTIFICATE" bit.

The content of the AIA extension does not depend on who the subject is. It
only depends on what information access services the CA has to offer. In
other words, a CA would most probably use the same AIA for a TSA cert and
for any other entity's certificate it generates .

The only possible situation I can think of when the definition given by the
TSA draft makes a tiny bit of sense is for self-signed TSA certificates. If
this is the case, the AIA would be presenting a set of protocols that can be
used to obtain timestamps. But then it must be clearly stated by the
document that only self-signed TSA certs can have that information in the
AIA extension. Still, it contradicts to the spirit of the 2459, which
defines the AIA as providing information about how to access the
certificate-issuing authority, but not the services offered by the subject
of the certificate.

The current definition in the TSA draft goes back to the very early version
of the draft. Probably, it is just me who is wrong, and there is something I
simply do not understand. Would like my concerns to be explained.

BTW, an alternative and in my opinion a better way of specifying the set of
URIs to obtain timestamps would probably be defining a proprietary extension
in TSA certificates. TsaAccessDescription ::= SEQUENCE SIZE (1..MAX) OF
GeneralName. Non-critical, with the id-ad-timestamping OID.

Best regards

M

Prev by Date: RE: What is the order of certificates in a certificate chain?
Next by Date: TSA draft V7
Previous by thread: I-D ACTION:draft-ietf-pkix-time-stamp-07.txt
Next by thread: RE: TSA draft V7.0
Index(es):
- Date
- Thread