Re: Holder

["Tom Gindin/Watson/IBM" <tgindin@xxxxxxxxxx>]

     The primary use I can think of for format 7, 9, or 11 is to permit an
AC to accompany (or simply be stored with) a signed document, transaction,
or message without requiring the PKC to do so.  The RP can then look up the
PKC.  As I have stated before, in any case like this format 11 or format 9
is preferable to format 5.  Formats 4 and 5 are appropriate when the PKC
accompanies the AC or precedes it in a protocol, but not otherwise.
     Since format 9 (or format 11) is preferable to format 5 when the AC is
sent or stored independently of the PKC and also carries out all the
functions of format 5, I would replace your references to format 5 by
references to format 9 (or format 11).  Formats 2, 4, and 9 make a
reasonable minimal set, as do 2, 4, and 11.

          Tom Gindin


Steve Hanna <steve.hanna@sun.com> on 11/10/2000 10:56:55 AM

To:   ietf-pkix@imc.org
cc:
Subject:  Re: Holder



Well, my list of scenarios does not seem to be helping us resolve this
issue.

I will make a specific proposal, seeking comments or consensus. Since
none of the scenarios demonstrates a need for hints in Holder formats
that include the objectDigestInfo component, I propose that we adopt the
following recommendation, which would be incorporated into the next
version of ac509 (along with text explaining the various formats, how
they must be handled for validation purposes, and why each one might be
preferred to the others).

   AC issuers SHOULD use only formats 2, 4, or 5. They MAY use other
   formats, as necessary. AC verifiers SHOULD support formats 2, 4, and
   5 (subject to specific requirements and configuration). They MAY
   support other formats.

I welcome comments from others on this proposal. A good argument can be
made for replacing format 5 with format 9, if only for debugging
purposes. But I'd rather not recommend support for both, if possible.

-Steve