[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: ietf-pkix@xxxxxxx
Subject: RE: Open Issue in Part1: path length constraints
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Wed, 07 Mar 2001 08:43:34 -0800

Hi Steve,
    I think there is value to a non-CA providing status
information in all forms - CRLs, OCSP or DPV/SCVP. I agree that
we should clarify this.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: Wednesday, March 07, 2001 8:41 AM
> To: Ambarish Malpani
> Cc: ietf-pkix@xxxxxxx
> Subject: RE: Open Issue in Part1: path length constraints
> 
> 
> Ambarish,
> 
> >Hi Steve,
> >     While the term "VA" might not be part of the IETF standards,
> >it is the entity that can do the following:
> >
> >a. Sign OCSP responses - where you directly trust the responder
> >b. Sign Indirect CRLs (I suppose this is a circular argument)!
> >c. Do the Delegated Path Validation protocol.
> >
> >Agreed?
> 
> Since you made the term up, I suppose a VA can do anything :-).
> 
> On a more serious note, we made an explicit provision for non-CA 
> signing of OCSP responses when OCSP was created. You are an author, 
> so you know this. But, you didn't seem to feel a need to create a 
> name for such entities at the time, which is OK too.  CRL signing 
> was, prior to v3, strictly the province of a CA. What it seems we 
> have in our docs, and to a lesser extent in the X.509 docs, is a 
> failure to clearly describe the intent to allow non-CA entities to 
> sign CRLs. I say this based on the mix of terms in 2459, and some 
> selected examples of text from X.509 that refer to an "authority" 
> without naming any sort of authority other than CAs (and AAs?).
> 
> So, going forward, if we want to allow non-CAs to perform this 
> function, let's just get the text to be clear on this point, and if 
> necessary, let's create a name for these entities, to minimize 
> confusion.
> 
> As for DPV, it is clear that it can be performed by a non-CA entity.
> 
> Steve
>

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: Hospitals (changed subject)
Previous by thread: Re: Open Issue in Part1: path length constraints
Next by thread: RE: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread