[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV requirements

To: Frank Balluffi <frankb@xxxxxxxxxxxx>
Subject: RE: DPD & DPV requirements
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 12 Jan 2001 17:38:47 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

Frank,

Frank Balluffi said:

 > >The client should supply some subset of each requested path
 > which must
 > >include the least significant certificate and optionally:
 > >
 > >- one or more intermediate certificates
 > >- one or more trusted certificates

Steve Kent said:

 > An intermediate cert that is not trusted, but is not the end of a
 > partial path?  Why?  This is getting complicated.

OK. It is difficult for me to imagine a client supplying intermediate
certificates. But requirement 1.1 only supports a single certificate or a
chain:

1.1     A client request can contain a single certificate or a certificate
chain terminating in the "target" certificate, to assist the server in path
construction.

Would it be valuable for a client to be able to supply the end-entity
certificate and the trusted certificate in the path?

What if we say that the chain could be partial?

A trust point (anchor) is a root and the client can specify one or more of these as part of the path validation parameter set, explicitly or via reference.

Steve

Follow-Ups:
- Re: DPD & DPV requirements
  - From: Steve Hanna

References:
- RE: DPD & DPV requirements
  - From: Frank Balluffi

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: Re: DPD & DPV requirements
Previous by thread: RE: DPD & DPV requirements
Next by thread: Re: DPD & DPV requirements
Index(es):
- Date
- Thread