[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Open Issue in Part1: path length constraints
- To: ietf-pkix@xxxxxxx
- Subject: Re: Open Issue in Part1: path length constraints
- From: "David A. Cooper" <david.cooper@xxxxxxxx>
- Date: Wed, 28 Feb 2001 14:32:49 -0500
- In-reply-to: <>
- References: <>
Steve,
Last week Hoyt Kesterson sent a message to the PKIX list pointing out some defect reports against X.509. One of these, DR 272, deals with path length constraints:
ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DefectReports/X.509andRelated/DR_272Rev1.pdf
DR 272 proposes adding some new text to X.509 to help clarify the meaning of path length constraints in public key and attribute certificates. From my reading of the text, there seems to be an assumption that every certification path will end with an end-entity certificate as in the following sentence:
The constraint controls the number of non self-issued CA certificates between
the CA certificate containing the constraint and the end-entity certificate.
Hoyt's message states that DR 272 has not yet been submitted for formal voting, but that it will be soon. We should keep this in mind when deciding on the text to use in new-part1 so we can ensure that X.509 and new-part1 are both clear and consistent in this area.
Dave
At 01:28 PM 2/28/01 -0500, Steve Hanna wrote:
>I have not seen anything approaching rough consensus on the basic
>question of which of these semantics we should use. John Linn and I have
>sent email favoring the RFC 2459 semantics (pathLenConstraint being the
>maximum number of subsequent CA certificates allowed). You and David
>Cross have sent email favoring the new-part1 semantics
>(pathLenConstraint being the maximum number of intermediate certificates
>allowed). If there is no further discussion on the list, we may need to
>check consensus in Minneapolis.