RE: Open Issue in Part1: path length constraints

[Stephen Kent <kent@xxxxxxx>]

Ambarish,

> Hi Steve,
>     While the term "VA" might not be part of the IETF standards,
> it is the entity that can do the following:
>
> a. Sign OCSP responses - where you directly trust the responder
> b. Sign Indirect CRLs (I suppose this is a circular argument)!
> c. Do the Delegated Path Validation protocol.
>
> Agreed?

Since you made the term up, I suppose a VA can do anything :-).

On a more serious note, we made an explicit provision for non-CA 
signing of OCSP responses when OCSP was created. You are an author, 
so you know this. But, you didn't seem to feel a need to create a 
name for such entities at the time, which is OK too.  CRL signing 
was, prior to v3, strictly the province of a CA. What it seems we 
have in our docs, and to a lesser extent in the X.509 docs, is a 
failure to clearly describe the intent to allow non-CA entities to 
sign CRLs. I say this based on the mix of terms in 2459, and some 
selected examples of text from X.509 that refer to an "authority" 
without naming any sort of authority other than CAs (and AAs?).

So, going forward, if we want to allow non-CAs to perform this 
function, let's just get the text to be clear on this point, and if 
necessary, let's create a name for these entities, to minimize 
confusion.

As for DPV, it is clear that it can be performed by a non-CA entity.

Steve