[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: ietf-pkix@xxxxxxx
Subject: Re: Open Issue in Part1: path length constraints
From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2001 18:00:35 -0500
References: <> <> <>

Let's make this a fair fight and make it three on three.  This David agrees with
Steve and John.

In Tim's original message:

"CA "A" issues a CA certificate to CA "B".  "A" trusts end entity
certificates issued by "B", but does not trust "B" to issue certificates to
other CAs.  "A" includes basic constraints in the certificate it issues to
"B" with cA = TRUE and pathLen = 0."

""B" does not issue its own CRLs, but delegates this to CA "C".  "B" also
trusts "C" to issue end entity certificates. So, "B" includes basic
constraints in the certificate it issues to "B" with cA = TRUE."

Let me begin by stating that I really dislike this scenario.  Theoretically this
is possible, but why would anyone architect such a design?  If I really had to
address this scenario, a design that fits within the current semantics would be
one that creates a distinct "personality" for issuing the CRLs which could be
issued an end entity certificate with the cRLSign bit set.

Stay with the current semantics and stop trying to break things that really
aren't broken.

Dave S.

Steve Hanna wrote:

> Steve Hanna wrote:
> > P.S. I have not seen anything approaching rough consensus on the basic
> > question of which of these semantics we should use. John Linn and I
> > have sent email favoring the RFC 2459 semantics (pathLenConstraint
> > being the maximum number of subsequent CA certificates allowed). You
> > and David Cross have sent email favoring the new-part1 semantics
> > (pathLenConstraint being the maximum number of intermediate
> > certificates allowed). If there is no further discussion on the list,
> > we may need to check consensus in Minneapolis.
>
> I forgot that David Cooper also sent email favoring the new-part1
> semantics. Sorry! That makes three Davids in favor of the new-part1
> semantics and Steve and John in favor of the RFC 2459 semantics. Still
> closely divided.
>
> -Steve

--
David Simonetti
Securify (www.securify.com), 410-356-2260

Follow-Ups:
- Re: Open Issue in Part1: path length constraints
  - From: Stephen Kent

References:
- Re: Open Issue in Part1: path length constraints
  - From: David P. Kemp
- Re: Open Issue in Part1: path length constraints
  - From: Steve Hanna
- Re: Open Issue in Part1: path length constraints
  - From: Steve Hanna

Prev by Date: UIDs popping up in new-part1
Next by Date: Re: Registering a Certificate Policy OID
Previous by thread: Re: Open Issue in Part1: path length constraints
Next by thread: Re: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread