[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV requirements

To: "'Stephen Kent'" <kent@xxxxxxx>
Subject: RE: DPD & DPV requirements
From: Frank Balluffi <frankb@xxxxxxxxxxxx>
Date: Mon, 15 Jan 2001 07:02:35 -0800
Cc: ietf-pkix@xxxxxxx

Frank Balluffi said:

>Would it be valuable for a client to be able to supply the end-entity
>certificate and the trusted certificate in the path?

Steve Kent said:

> What if we say that the chain could be partial?
> 
> A trust point (anchor) is a root and the client can specify one or 
> more of these as part of the path validation parameter set, 
> explicitly or via reference.

Steve Hanna said:

> One good reason to allow the client to supply to a DPD server an
> arbitrary collection of certificates is that this is exactly what's
> delivered in a signed S/MIME message: a bunch of certificates that may
> be useful in building a path from a trust anchor to the 
> sender. Multiple
> intermediate certificates are explicitly allowed.

Steve Kent said:

> OK, that's a good argument! The argument to the server then would be 
> a lump (a new ASN.1 construct) of certs, with no implied ordering, 
> and the server if left to sort it out.   If a partial or complete 
> chain is sent, it is a valid example of the lump of certs model, 
> which happens to be ordered already. I could live with that.

A lump of certs makes sense to me.

Frank

Follow-Ups:
- RE: DPD & DPV requirements
  - From: Russ Housley

Prev by Date: Re: DPD & DPV Basics
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: Re: DPD & DPV requirements
Next by thread: RE: DPD & DPV requirements
Index(es):
- Date
- Thread