[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV Basics

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Subject: RE: DPD & DPV Basics
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 16 Jan 2001 14:30:07 -0500
Cc: PKIX List <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

Ambarish,

Hi Steve,
    I agree with both this mail and the one you sent to Carlin
earlier - I would fully expect the client to send the server
the kind of use it wants to use the certificate for (IPSec, S/MIME,
SSL) and the appropriate information that would depend on the
protocol (the e-mail address of the sender/recipient, the address
it thinks it is connecting to, etc).

The DPV server needs to figure out what the right key usage/
extended key usage bits are, how to do validation, etc. I would
expect servers to support commonly known protocols and be expandable
for other/future protocols.

As I mentioned in my response to Steve Hanna, I think this is not a good model, because it suggests that the protocol and server can anticipate all the requirements for ID matching that any client might require. I prefer a model in which the server returns extracted data from the cert for use by the client, for clients that are not capable of parsing the target cert.

Steve

References:
- RE: DPD & DPV Basics
  - From: Ambarish Malpani

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: RE: DPD & DPV requirements - Recursion Issues
Previous by thread: RE: DPD & DPV Basics
Next by thread: RE: DPD & DPV Basics
Index(es):
- Date
- Thread