[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: "Stephen Kent" <kent@xxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Open Issue in Part1: path length constraints
From: "Michael Myers" <myers@xxxxxxxxxxxxx>
Date: Wed, 7 Mar 2001 12:40:32 -0800
Importance: Normal
In-reply-to: <>

Steve,

We had in fact worked this very issue both onlist and offlist during the
OCSP drafting stage.  That work led to the consensus view of an OCSP
Authorized Responder as defined by Section 4.2.2.2 of RFC 2560 (cf. my note
the list on 06 March).  So it seems we already have a consensus-based notion
of what to call a non-CA OCSP entity--at least from a standards perspective.

Just trying to save the WG some cycles.

Mike

> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: Wednesday, March 07, 2001 8:41 AM
> To: Ambarish Malpani
> Cc: ietf-pkix@xxxxxxx
> Subject: RE: Open Issue in Part1: path length constraints
>
>
> Ambarish,
>
> >Hi Steve,
> >     While the term "VA" might not be part of the IETF standards,
> >it is the entity that can do the following:
> >
> >a. Sign OCSP responses - where you directly trust the responder
> >b. Sign Indirect CRLs (I suppose this is a circular argument)!
> >c. Do the Delegated Path Validation protocol.
> >
> >Agreed?
>
> Since you made the term up, I suppose a VA can do anything :-).
>
> On a more serious note, we made an explicit provision for non-CA
> signing of OCSP responses when OCSP was created. You are an author,
> so you know this. But, you didn't seem to feel a need to create a
> name for such entities at the time, which is OK too.  CRL signing
> was, prior to v3, strictly the province of a CA. What it seems we
> have in our docs, and to a lesser extent in the X.509 docs, is a
> failure to clearly describe the intent to allow non-CA entities to
> sign CRLs. I say this based on the mix of terms in 2459, and some
> selected examples of text from X.509 that refer to an "authority"
> without naming any sort of authority other than CAs (and AAs?).
>
> So, going forward, if we want to allow non-CAs to perform this
> function, let's just get the text to be clear on this point, and if
> necessary, let's create a name for these entities, to minimize
> confusion.
>
> As for DPV, it is clear that it can be performed by a non-CA entity.
>
> Steve
>

Follow-Ups:
- RE: Open Issue in Part1: path length constraints
  - From: Stephen Kent

References:
- RE: Open Issue in Part1: path length constraints
  - From: Stephen Kent

Prev by Date: Re: Open Issue in Part1: path length constraints
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: RE: Open Issue in Part1: path length constraints
Next by thread: RE: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread