[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD & DPV requirements

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: DPD & DPV requirements
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Fri, 12 Jan 2001 17:51:42 -0500
Cc: Frank Balluffi <frankb@xxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Organization: Sun Microsystems, Inc.
References: <> <>

Stephen Kent wrote:
> >Frank Balluffi said:
> >
> >  > >The client should supply some subset of each requested path
> >  > which must
> >  > >include the least significant certificate and optionally:
> >  > >
> >  > >- one or more intermediate certificates
> >  > >- one or more trusted certificates
> >
> >Steve Kent said:
> >
> >  > An intermediate cert that is not trusted, but is not the end of a
> >  > partial path?  Why?  This is getting complicated.

One good reason to allow the client to supply to a DPD server an
arbitrary collection of certificates is that this is exactly what's
delivered in a signed S/MIME message: a bunch of certificates that may
be useful in building a path from a trust anchor to the sender. Multiple
intermediate certificates are explicitly allowed.

For instance, I might have an EE cert from Sun, which has CA certs from
Thawte and the Federal Bridge CA. When sending an email, I might include
all of these certs with the message. The DPD server can use these in
conjunction with the client's trust anchors (perhaps a self-signed
Thawte cert) to build a path.

-Steve

Follow-Ups:
- Re: DPD & DPV requirements
  - From: Stephen Kent

References:
- RE: DPD & DPV requirements
  - From: Frank Balluffi
- RE: DPD & DPV requirements
  - From: Stephen Kent

Prev by Date: RE: DPD & DPV requirements
Next by Date: RE: DPD & DPV requirements - Recursion Issues
Previous by thread: RE: DPD & DPV requirements
Next by thread: Re: DPD & DPV requirements
Index(es):
- Date
- Thread