[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unsubscribe

To: <sharon.boeyen@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Unsubscribe
From: "Lawrence Gross" <GrossL@xxxxxxxxxxxxx>
Date: Tue, 06 Mar 2001 10:43:20 -0500

Unsubscribe

>>> Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx> 3/6/2001 10:34:42 AM >>>
>From an X.509 perspective I want to clarify what DR 272 is intended to do. 
With respect to the portion of the path that includes the cert containing
the 
extension and the cert that is the final one in the path, that portion of
the path can
exceed the constraint value by 2. Here is the relevant text from the DR:

". Therefore the total length of this segment of the path, excluding
self-issued certificates, may exceed the value of the constraint by as many
as two certificates. (This includes the certificates at the two endpoints of
the segment plus the CA certificates between the two endpoints that are
constrained by the value of this extension.)".

If the term "end-entity" in the DR resolution is what is causing the problem
in PKIX, 
then I'm sure we can replace that term with another one (e.g. the final cert
in the path). The 
509 DR is NOT trying to comment on what the final cert represents (with
respect to a CA, end user etc). The 
term end-entity is this context was meant to differentiate that final cert
from an intermediary cert. This is exactly the same as what is done with the
similar text for delegation paths for attribute certs. 

Would replacing "end-entity" in the DR eliminate the PKIX problem?

I realize that the discussion has moved beyond the pure DR into the area of
"who can issue CRLs", but that is a separate issue from the path length
constraint in which the value in that integer represents the maximum number
of intermediary non self-issued certs between the two endpoints (where one
endpoint is the cert containing the extension and the other end-point is the
final cert in the path, regarless of the entity type that is its subject).

Sharon


> -----Original Message-----
> From: David Kemp [mailto:dpkemp@xxxxxxxxxxxxxx] 
> Sent: Tuesday, March 06, 2001 9:18 AM
> To: ietf-pkix@xxxxxxx 
> Subject: Re: Open Issue in Part1: path length constraints
> 
> 
> Dave,
> 
> Then is it your suggestion that all PKIX words regarding issuance of
> CRLs by "conforming CAs" be extended to "conforming CAs and 
> end entities",
> or is it your suggestion that CRLs MUST NOT be verified except by a
> public key which is also permitted to verify certificates?
> 
> I strongly disagree with the latter, of course.
> 
> I disagree with the former too, since it is my belief that a 
> "conforming
> CA" is the organization which signs the CRL, not the public key which
> signs the CRL.  But if PKIX chooses to regard some CRL signers as end
> entities, then it must have words which permit some end entities to
> sign CRLs.
> 
> Dave
> 
> 
> 
> > Date: Mon, 05 Mar 2001 16:30:10 -0500
> > From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
> >
> > Dave,
> > 
> > Responding to your question:
> > 
> > > If that certificate has cA=false, and keyCertSign=0 and cRLSign=1,
> > > isn't the subject of the certificate "a conforming CA"?
> > 
> > No, it is an end entity.
> > --
> > David Simonetti
> > Securify (www.securify.com), 410-356-2260
> > 
>

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: Unsubscribe
Next by thread: unsubscribe
Index(es):
- Date
- Thread