[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: ietf-pkix@xxxxxxx
Subject: Re: Open Issue in Part1: path length constraints
From: David Kemp <dpkemp@xxxxxxxxxxxxxx>
Date: Tue, 6 Mar 2001 09:18:06 -0500 (EST)
Reply-to: David Kemp <dpkemp@xxxxxxxxxxxxxx>

Dave,

Then is it your suggestion that all PKIX words regarding issuance of
CRLs by "conforming CAs" be extended to "conforming CAs and end entities",
or is it your suggestion that CRLs MUST NOT be verified except by a
public key which is also permitted to verify certificates?

I strongly disagree with the latter, of course.

I disagree with the former too, since it is my belief that a "conforming
CA" is the organization which signs the CRL, not the public key which
signs the CRL.  But if PKIX chooses to regard some CRL signers as end
entities, then it must have words which permit some end entities to
sign CRLs.

Dave



> Date: Mon, 05 Mar 2001 16:30:10 -0500
> From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
>
> Dave,
> 
> Responding to your question:
> 
> > If that certificate has cA=false, and keyCertSign=0 and cRLSign=1,
> > isn't the subject of the certificate "a conforming CA"?
> 
> No, it is an end entity.
> --
> David Simonetti
> Securify (www.securify.com), 410-356-2260
>

Follow-Ups:
- Re: Open Issue in Part1: path length constraints
  - From: David Simonetti

Prev by Date: subscribe
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: Re: Open Issue in Part1: path length constraints
Next by thread: Re: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread