[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Impersonation Certificates - finding IC's
Steve,
"... not practical or desirable to pass the IC/EEC chain to the RP..."
Well, I don't have any specific scenario in mind, but there is the
wireless/low-bandwidth case that always seems to be lurking around the
corner, but never quite getting here.
I'll be at the IETF in Minneapolis. I'd like to talk with you.
Regards,
Carlin
_______________________________________
Carlin Covey
Cylink Corporation
-----Original Message-----
From: Steve Tuecke [mailto:tuecke@xxxxxxxxxxx]
Sent: Friday, March 09, 2001 1:33 PM
To: Carlin Covey
Cc: ietf-pkix@xxxxxxx
Subject: Re: Impersonation Certificates - finding IC's
In the Globus Toolkit, we use ICs to authenticate a TLS channel, and we
always pass the entire IC/EEC certificate chain during the authentication
handshake. And whenever we delegate an IC, we pass the whole chain to the
RP.
I would be interested to hear a scenario where it is not practical or
desirable to pass the IC/EEC chain to the RP, or in the authentication
handshake. And if you have any suggestions for changes that could be made
to support path discovery from a directory (or any other way), I'd love to
hear it.
I'll be in Minneapolis next week if you want to talk more about this in
person...
-Steve
At 08:04 PM 3/8/2001 Thursday, Carlin Covey wrote:
>In section 2.6 of draft-ietf-pkix-impersonation-00.txt the
>following words appear:
>
> "To discourage mistakes in this area, this Impersonation Certificate
> profile defines that the IC subject (actually its subjectAltName) is
> just a pseudo-randomly generated string."
>
>[Carlin's comments/questions]:
>If the IC subject name is a pseudo-randomly generated string, how is the
>IC found in an X.500 or LDAP Directory? Must it always be passed by the
>application to the RP rather than being found in a directory?
>
>- Carlin Covey
> Cylink Corporation