[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Extended Key Usage and path validation

To: Frank Balluffi <frankb@xxxxxxxxxxxx>, "'thayes@xxxxxxxxxxxx'" <thayes@xxxxxxxxxxxx>
Subject: RE: Extended Key Usage and path validation
From: Frank Balluffi <frankb@xxxxxxxxxxxx>
Date: Wed, 08 Nov 2000 07:35:20 -0800
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

Note that the following is a very different story:

Issuer  Subject  Policy Identifiers
------  -------  ------------------
CA 1    CA 2     id-smime

Frank

> -----Original Message-----
> From: Frank Balluffi [mailto:frankb@valicert.com]
> Sent: Wednesday, November 08, 2000 10:21 AM
> To: 'thayes@netscape.com'
> Cc: 'ietf-pkix@imc.org'
> Subject: Re: Extended Key Usage and path validation
> 
> 
> Terry Hayes said:
> 
> > In fact, I probably could be convinced that Certificate 
> > Policies is the correct way of checking the validity of a 
> > path for a particular purpose.
> 
> Using certificate policies makes a lot of sense, but note that the CA
> issuing the end-entity certificate still has some flexibility 
> over what
> policy identifiers are included in the end-entity certificate. In the
> following example (which I believe to be legal), CA 1 asserts 
> nothing about
> signing S/MIME messages:
> 
> Issuer  Subject  Policy Identifiers
> ------  -------  ------------------
> CA 1    CA 2     id-foo, id-goo
> CA 2    CA 3     id-goo, id-hoo
> CA 3    Alice    id-goo, id-smime
> 
> In the above example, the most superior certificate is not 
> self signed.
> 
> Frank
>

Prev by Date: Re: X509 ACs - Too late, too little
Next by Date: Re: X509 ACs - Too late, too little
Previous by thread: Re: Extended Key Usage and path validation
Next by thread: Re: Extended Key Usage and path validation
Index(es):
- Date
- Thread