[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Extended Key Usage and path validation

To: "'thayes@xxxxxxxxxxxx'" <thayes@xxxxxxxxxxxx>
Subject: Re: Extended Key Usage and path validation
From: Frank Balluffi <frankb@xxxxxxxxxxxx>
Date: Wed, 08 Nov 2000 07:20:44 -0800
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

Terry Hayes said:

> In fact, I probably could be convinced that Certificate 
> Policies is the correct way of checking the validity of a 
> path for a particular purpose.

Using certificate policies makes a lot of sense, but note that the CA
issuing the end-entity certificate still has some flexibility over what
policy identifiers are included in the end-entity certificate. In the
following example (which I believe to be legal), CA 1 asserts nothing about
signing S/MIME messages:

Issuer  Subject  Policy Identifiers
------  -------  ------------------
CA 1    CA 2     id-foo, id-goo
CA 2    CA 3     id-goo, id-hoo
CA 3    Alice    id-goo, id-smime

In the above example, the most superior certificate is not self signed.

Frank

Prev by Date: Re: X509 ACs - Too late, too little
Next by Date: Re: X509 ACs - Too late, too little
Previous by thread: Re: Extended Key Usage and path validation
Next by thread: RE: Extended Key Usage and path validation
Index(es):
- Date
- Thread