[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV Basics

To: PKIX List <ietf-pkix@xxxxxxx>
Subject: RE: DPD & DPV Basics
From: "Covey, Carlin" <ccovey@xxxxxxxxxx>
Date: Thu, 11 Jan 2001 14:55:46 -0800

Frank,

See comments below.

-----Original Message-----
From: Frank Balluffi [mailto:frankb@xxxxxxxxxxxx]
Sent: Thursday, January 11, 2001 2:31 PM
To: 'Steve Hanna'; PKIX List
Subject: RE: DPD & DPV Basics

<snip>

1. Can someone explain the value of a DPD server returning a path that may
not be valid? 

<snip>

[Carlin]
I agree that returning a path that may not be valid would not be the normal
case.
However, I can think of some circumstances in which it would be useful.

The returned certificate path might include a certificate that has expired,
or which is currently suspended.  The DPD client may be willing to accept
such an invalid chain for certain purposes.  

Another case is a valid chain that traces to a root that is not one of the 
client's trust anchors.  The DPD client might be willing to add that root to

its set of trust anchors. 

A third case is a chain that the DPD client can validate, but the DPD server
cannot.
(For instance, the client may be able validate a certificate signed with
ECDSA,
whereas the server may have no means to do so.)

Regards,

Carlin

--------------------------------------
- Carlin Covey
  Cylink Corp.

Follow-Ups:
- Re: DPD & DPV Basics
  - From: Steve Hanna
- RE: DPD & DPV Basics
  - From: Stephen Kent

Prev by Date: RE: DPD & DPV Basics
Next by Date: Re: DPD & DPV Basics
Previous by thread: RE: DPD & DPV Basics
Next by thread: RE: DPD & DPV Basics
Index(es):
- Date
- Thread