[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: ietf-pkix@xxxxxxx
Subject: RE: Open Issue in Part1: path length constraints
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Thu, 08 Mar 2001 11:10:10 -0500
Sender: dpkemp@xxxxxxxxxxxxxxxxxxxxxxx

> From: "Michael Myers" <myers@xxxxxxxxxxxxx>
> 
> Dave,
> 
> Does your observation of a "trusted" responder interpret case 1.b below or
> were you intending to speak to some broader notion?


Michael,

I was indeed considering case 1.b, based on the text in RFC 2560
section 2.2:

  The key used to sign the response MUST belong to one of the following:
  
    -- the CA who issued the certificate in question
    -- a Trusted Responder whose whose public key is trusted by the
        requestor
    -- a CA Designated Responder (Authorized Responder) who holds a
        specially marked certificate issued directly by the CA

I admit to not making a distinction between 1.a and 1.b, because if the
CA is going to implicitly designate a trusted responder key, why in the
world would it not take the extra step of explicitly designating that
key
by issuing the special certificate.  The hard work for the CA is
deciding
who to designate, not signing the cert.  I'm not from Missouri, but if a
Trusted Responder claimed to be CA-delegated, I'd say "show me the
cert".

Dave

Follow-Ups:
- Impersonation Certificates - finding IC's
  - From: Carlin Covey

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: KeyUsage Clarifications (was Open Issue in Part1: path lengthconstraints)
Next by thread: Impersonation Certificates - finding IC's
Index(es):
- Date
- Thread