[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Open Issue in Part1: path length constraints
I agree with Al.
Dave S.
Al Arsenault wrote:
> Dave(s), et alia,
>
> >Then is it your suggestion that all PKIX words regarding issuance of
>
> >CRLs by "conforming CAs" be extended to "conforming CAs and end entities",
>
> >or is it your suggestion that CRLs MUST NOT be verified except by a
>
> >public key which is also permitted to verify certificates?
>
> >I strongly disagree with the latter, of course.
>
> >I disagree with the former too, since it is my belief that a "conforming
>
> >CA" is the organization which signs the CRL, not the public key which
>
> >signs the CRL. But if PKIX chooses to regard some CRL signers as end
>
> >entities, then it must have words which permit some end entities to
>
> >sign CRLs.
>
> I would support the former, or some variant of it. Let's be clear about
> our terminology. We don't call an entity which signs OCSP responses but
> doesn't sign certificates and has basicConstraints absent a "CA". We
> shouldn't call an entity which signs CRLs but doesn't sign certificates and
> has basicConstraints absent a "CA", either.
>
> If we're sloppy with the terminology, somebody later on is going to fail to
> grasp the subtlety of it and get this wrong.
>
> Al Arsenault
> Chief Security Architect
> Diversinet Corp.
--
David Simonetti
Securify (www.securify.com), 410-356-2260