[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Subject: Re: Open Issue in Part1: path length constraints
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Wed, 07 Mar 2001 17:34:28 +0100
Cc: "'Stephen Kent'" <kent@xxxxxxx>, ietf-pkix@xxxxxxx
Organization: Bull
References: <>

Ambarish,

> Hi Steve,
>     While the term "VA" might not be part of the IETF standards,
> it is the entity that can do the following:
> 
> a. Sign OCSP responses - where you directly trust the responder
> b. Sign Indirect CRLs (I suppose this is a circular argument)!
> c. Do the Delegated Path Validation protocol.
> 
> Agreed?

Certainly not !

This would create a confusion between:

1) a server simply giving the revocation status of a certificate,
2) a server *advertising* revocation for others CAs,
3) a server saying if a certificate is valid according to some policy.

Please use different names!

Denis

> Regards,
> Ambarish
> 
> ---------------------------------------------------------------------
> Ambarish Malpani
> Architect                                                650.567.5457
> ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
> 339 N. Bernardo Ave.                          http://www.valicert.com
> Mountain View, CA 94043
> 
> > -----Original Message-----
> > From: Stephen Kent [mailto:kent@xxxxxxx]
> > Sent: Wednesday, March 07, 2001 7:55 AM
> > To: Ambarish Malpani
> > Cc: ietf-pkix@xxxxxxx
> > Subject: RE: Open Issue in Part1: path length constraints
> >
> >
> > Ambarish,
> >
> > >Steve, we use the Indirect CRL/Indirect delta CRL format to
> > >propogate revocation information for particular CAs between
> > >our VAs (Validation Authorities).
> > >
> > >Basically, as master VA can receive information that a particular
> > >cert was revoked at a CA (even if the CA has not had time to
> > >issue a new CRL as yet). It can (and does) create a Indirect
> > >CRL with this information that it signs. The VA never acts
> > >as a CA - it never issues certs, but still needs to be
> > >responsible for creating and propogating revocation information
> > >to other VAs.
> > >
> > >While we use these indirect CRLs to propogate information just
> > >amongst VAs, it is not a stretch to seeing clients trust these
> > >indirect CRLs for their own purposes.
> > >
> > >Hope this helps justify why it does make sense for non-CAs to
> > >still issue CRLs.
> >
> > I understand the mechanism you are employing, and I see nothing wrong
> > with it. However, I don't think the notion of a "VA" is part of ITU
> > or IETF standards. Therefore, your use of it in a closed system
> > environment is outside the scope of these standards.
> >
> > Steve
> >

References:
- RE: Open Issue in Part1: path length constraints
  - From: Ambarish Malpani

Prev by Date: Certificate public key length
Next by Date: Re: X.509, PKIX, and pathLenConstraint
Previous by thread: RE: Open Issue in Part1: path length constraints
Next by thread: RE: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread