[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: "'David Kemp'" <dpkemp@xxxxxxxxxxxxxx>, "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: RE: Open Issue in Part1: path length constraints
From: Al Arsenault <aarsenault@xxxxxxxxx>
Date: Tue, 6 Mar 2001 09:55:13 -0500
Encoding: 38 TEXT

Dave(s), et alia,


>Then is it your suggestion that all PKIX words regarding issuance of

>CRLs by "conforming CAs" be extended to "conforming CAs and end entities",

>or is it your suggestion that CRLs MUST NOT be verified except by a

>public key which is also permitted to verify certificates?

>I strongly disagree with the latter, of course.

>I disagree with the former too, since it is my belief that a "conforming

>CA" is the organization which signs the CRL, not the public key which

>signs the CRL.  But if PKIX chooses to regard some CRL signers as end

>entities, then it must have words which permit some end entities to

>sign CRLs.


I would support the former, or some variant of it.  Let's be clear about 
our terminology.  We don't call an entity which signs OCSP responses but 
doesn't sign certificates and has basicConstraints absent a "CA".  We 
shouldn't call an entity which signs CRLs but doesn't sign certificates and 
has basicConstraints absent a "CA", either.

If we're sloppy with the terminology, somebody later on is going to fail to 
grasp the subtlety of it and get this wrong.

		Al Arsenault
		Chief Security Architect
		Diversinet Corp.

Follow-Ups:
- Re: Open Issue in Part1: path length constraints
  - From: David Simonetti

Prev by Date: Re: Open Issue in Part1: path length constraints
Next by Date: Re: Open Issue in Part1: path length constraints
Previous by thread: Re: Open Issue in Part1: path length constraints
Next by thread: Re: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread