[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Required Algorithms for Certificates

To: "'Russ Housley'" <housley@xxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: Required Algorithms for Certificates
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Thu, 21 Dec 2000 10:11:52 -0800

Hi Russ,
    Shouldn't RSA be the MUST.

What SAAG didn't conclude on was whether DSA should also be a MUST.
While I don't have a strong opinion on that, I think DSA should
just be a MAY, so that CAs who have clients who demand DSA can
implement it, while those who don't, don't need to, just to be
compliant.

The way you posted the mail, it should like neither DSA nor RSA are
a must, but (DSA or RSA) is a MUST.


A

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Wednesday, December 20, 2000 9:06 AM
> To: ietf-pkix@imc.org
> Subject: Re: Required Algorithms for Certificates
> 
> 
> As everyone who was at the meeting in San Diego knows, this 
> posting lead to 
> a long discussions in PKIX, S/MIME, and SAAG sessions.  Based 
> on those 
> discussions, I suggest a possible way forward for son-of-rfc2459.
> 
> CAs MUST be able to sign certificates and CRLs with at least 
> one of the 
> following:
>          - DSA with SHA-1, or
>          - RSA with SHA-1.
> 
> CAs MAY sign certificates and CRLs with any additional 
> algorithms that they 
> wish.
> 
> Certificate users MUST be able to validate signatures on 
> certificates and 
> CRLs with all of the following:
>          - DSA with SHA-1, and
>          - RSA with SHA-1.
> 
> Certificate users MAY validate signatures on certificates and 
> CRLs with any 
> additional algorithms that they wish.
> 
> Russ
> 
> At 05:45 PM 12/12/2000 -0800, Jim Schaad wrote:
> >In reviewing the algorithm draft 
> (draft-ietf-pkix-ipki-pkalgs-01.txt) again,
> >I remembered that I did have one problem with the draft.  I 
> think that it is
> >fine that the certificate structure draft does not contain algorithm
> >information.  However I feel that the algorithms draft needs 
> to have some
> >MUST style statements contained in it.  I propose adding the 
> following text:
> >
> >To fully comply with this document, implementations MUST support DSA
> >Signature (section 2.2.2).  Implementations MAY support MD2 
> RSA signatures
> >for validation but MUST NOT create new certificates using 
> this algorithm.
> >Implementations MAY support all other algorithms in this 
> document at their
> >discretion.
> >
> >jim schaad
>

Follow-Ups:
- RE: Required Algorithms for Certificates
  - From: Jim Schaad

Prev by Date: [no subject]
Next by Date: Permanet identifier assignement
Previous by thread: Re: Required Algorithms for Certificates
Next by thread: RE: Required Algorithms for Certificates
Index(es):
- Date
- Thread