[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Open Issue in Part1: path length constraints
Hi Steve,
While the term "VA" might not be part of the IETF standards,
it is the entity that can do the following:
a. Sign OCSP responses - where you directly trust the responder
b. Sign Indirect CRLs (I suppose this is a circular argument)!
c. Do the Delegated Path Validation protocol.
Agreed?
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043
> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: Wednesday, March 07, 2001 7:55 AM
> To: Ambarish Malpani
> Cc: ietf-pkix@xxxxxxx
> Subject: RE: Open Issue in Part1: path length constraints
>
>
> Ambarish,
>
> >Steve, we use the Indirect CRL/Indirect delta CRL format to
> >propogate revocation information for particular CAs between
> >our VAs (Validation Authorities).
> >
> >Basically, as master VA can receive information that a particular
> >cert was revoked at a CA (even if the CA has not had time to
> >issue a new CRL as yet). It can (and does) create a Indirect
> >CRL with this information that it signs. The VA never acts
> >as a CA - it never issues certs, but still needs to be
> >responsible for creating and propogating revocation information
> >to other VAs.
> >
> >While we use these indirect CRLs to propogate information just
> >amongst VAs, it is not a stretch to seeing clients trust these
> >indirect CRLs for their own purposes.
> >
> >Hope this helps justify why it does make sense for non-CAs to
> >still issue CRLs.
>
> I understand the mechanism you are employing, and I see nothing wrong
> with it. However, I don't think the notion of a "VA" is part of ITU
> or IETF standards. Therefore, your use of it in a closed system
> environment is outside the scope of these standards.
>
> Steve
>