[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TSA draft V7.0

To: tgindin@xxxxxxxxxx, Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Subject: RE: TSA draft V7.0
From: Michael Zolotarev <mzolotarev@xxxxxxxxxxxxx>
Date: Mon, 1 May 2000 11:14:59 +1000
Cc: Denis.Pinkas@xxxxxxxx, PKIX mailing group <ietf-pkix@xxxxxxx>

I agree that it would be extremely difficult for a CA to evaluate a TSA's
practices before granting it a certificate with id-timestamping. It would be
even more difficult for me, as a client, to trust that assessment.

That is why is seems reasonable to expect that TSA would use self-signed
certificates, taking full responsibility over its practices and operations.

However, I reckon that this is largely outside of the scope of the
timestamping draft, really.

Regards
Michael

> -----Original Message-----
> From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
> Sent: Saturday, April 29, 2000 10:22 AM
> To: Carlisle Adams
> Cc: Denis.Pinkas@bull.net; 'Michael Zolotarev'; PKIX mailing group
> Subject: RE: TSA draft V7.0
> 
> 
> 
> 
> Carlisle Adams <carlisle.adams@entrust.com> on 04/28/2000 10:14:20 AM
> 
> To:   Denis.Pinkas@bull.net, "'Michael Zolotarev'"
>       <mzolotarev@baltimore.com>
> cc:   PKIX mailing group <ietf-pkix@imc.org>
> Subject:  RE: TSA draft V7.0
> 
> 
> 
> Hi Michael,
> 
> My interpretation is more along the following lines.  If a CA 
> explicitly
> puts an extension in a certificate designating the subject to be a TSA
> then, in some sense at least, the time stamp authority 
> function becomes a
> CA service.  Thus, I see no conflict with such use of the AIA 
> extension.
> 
> [Tom Gindin] I have a hard time with the idea that a service 
> becomes a CA
> service in any meaningful sense simply by having the CA issue 
> a certificate
> containing an ExtendedKeyUsage value.  A CA issuing a server 
> certificate is
> not vouching that the service will be properly performed, 
> much less that it
> will be performed on the CA's behalf.  How much verification of the
> features of a service by the CA occurs  when an operator gets a server
> certificate for a Web or LDAP server and asks for Extended Key Usage
> id-kp-serverAuth?  So how much more is required for 
> id-kp-timeStamping,
> which is the standard way in which the CA designates the 
> subject as a TSA?
> (snip)
> 
>

Prev by Date: RE: TSA draft V7.0
Next by Date: RE: I-D ACTION:draft-ietf-pkix-time-stamp-07.txt
Previous by thread: RE: TSA draft V7.0
Next by thread: TSA draft V7
Index(es):
- Date
- Thread