[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The CP Extension (was Re: Extended Key Usage and path validation)

To: ietf-pkix@xxxxxxx
Subject: Re: The CP Extension (was Re: Extended Key Usage and path validation)
From: Marc Branchaud <marcnarc@xxxxxxxxx>
Date: Thu, 09 Nov 2000 15:57:13 -0800
Organization: Xcert International Inc.
References: <>
Sender: marcnarc@xxxxxxxxx

"David P. Kemp" wrote:
> 
> X.509 says:
> 
>     Typically, different certificate policies will relate to different
>     applications which may use the certified key.
> 
> and the example under policy mappings refers to policies for "Canadian Trade",
> "U.S. Trade", and "North American Trade".
> 
> This example coincides with my impression that the "purposes" referred
> to in new-part1 and the "applications" in X.509 are things which are
> specific to a business domain (banking, DoD, Xcert, VeriSign) rather
> than things which are specific to communication protocols (email, web,
> VPN, ...).  If you refer to issuing practices and usages,
> "International Trade" or "Organization A" would be the usage, which
> specifies a policy domain under which "lax" and "strict" are defined.
> Under this interpretation, usage and assurance are not orthogonal;
> Organization B might have a significantly different definition of "lax".
> 

I understand that point of view, and I think it's perfectly viable.  I also
like your proposed rewording for new-part1:

> Perhaps it would be less ambiguous if new-part1 said:
> 
>    In an end-entity certificate, each policy information term indicates
>    the policy under which the certificate has been issued and the purposes
>    for which the certificate may be used.
> 
> instead of:
> 
>   In an end-entity certificate, these policy information terms indicate ...
> 
> That would make it clear that there can be more than one term, but each
> term indicates both a certificate policy and some purposes under that policy.
> 

I suggest the draft go further, though, and specifically address the point of
view you've described.  I suggest that in the KU and EKU sections that the
word "purpose" be replaced with the word "protocol" to make it clear that
these extensions deal with technical matters.

I also suggest that the CP section specifically talk about "organizational
purposes" and "non-technical uses" instead of just "purposes" and "uses".

I'd be happy to suggest some text if people think this is a good idea.

[ snip ]

> A rule of thumb might that KU/EKU specifies things which could be be
> wired into a generic toolkit, but CP specifies things which must be
> decided by application-specific code.

I agree, but I do think the draft should be much clearer about this.

		Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                  \/
 Chief PKI Architect                             /\CERT INTERNATIONAL INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6227          www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+

References:
- Re: The CP Extension (was Re: Extended Key Usage and path validation)
  - From: David P. Kemp

Prev by Date: RE: OCSP-X vs SCVP
Next by Date: Re: OCSP-X vs SCVP
Previous by thread: Re: The CP Extension (was Re: Extended Key Usage and path validation)
Next by thread: OCSP-X vs SCVP
Index(es):
- Date
- Thread