Re: Impersonation Certificates - finding IC's

[Steve Tuecke <tuecke@xxxxxxxxxxx>]

In the Globus Toolkit, we use ICs to authenticate a TLS channel, and we 
always pass the entire IC/EEC certificate chain during the authentication 
handshake.  And whenever we delegate an IC, we pass the whole chain to the RP.

I would be interested to hear a scenario where it is not practical or 
desirable to pass the IC/EEC chain to the RP, or in the authentication 
handshake.  And if you have any suggestions for changes that could be made 
to support path discovery from a directory (or any other way), I'd love to 
hear it.

I'll be in Minneapolis next week if you want to talk more about this in 
person...

-Steve

At 08:04 PM 3/8/2001  Thursday, Carlin Covey wrote:
> In section 2.6 of draft-ietf-pkix-impersonation-00.txt the
> following words appear:
>
>    "To discourage mistakes in this area, this Impersonation Certificate
>    profile defines that the IC subject (actually its subjectAltName) is
>    just a pseudo-randomly generated string."
>
> [Carlin's comments/questions]:
> If the IC subject name is a pseudo-randomly generated string, how is the
> IC found in an X.500 or LDAP Directory?  Must it always be passed by the
> application to the RP rather than being found in a directory?
>
> - Carlin Covey
>   Cylink Corporation