[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Extension name divergence between PKIX profile and X.509 4thEdition

To: "'Sharon Boeyen'" <sharon.boeyen@xxxxxxxxxxx>
Subject: RE: Extension name divergence between PKIX profile and X.509 4thEdition
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Mon, 16 Apr 2001 12:10:45 -0700
Cc: ietf-pkix@xxxxxxx

Sharon

Might aswell ensure that the pointer class can be used in any type

of certificate, any type of CRL, and any other type of "security token"

contemplated by X.509.

The signed XML work (outside IETF) is completing nicely, with

application to cert management, biometric data, inter-domain messaging

and authorization.

Signed XML objects can benefit from the generalized standardization of

references to RevocationLists in X.509.

-----Original Message-----
From: Sharon Boeyen [mailto:sharon.boeyen@xxxxxxxxxxx]
Sent: Monday, April 16, 2001 11:34 AM
To: 'Russ Housley'; Sharon Boeyen
Cc: ietf-pkix@xxxxxxx
Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition

I'll raise a defect on the 509 list proposing this. I suspect it won't be controversial.

Sharon

-----Original Message-----
From: Russ Housley [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Friday, April 13, 2001 2:26 PM
To: Sharon Boeyen
Cc: ietf-pkix@xxxxxxx
Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition

Sharon:

The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics.

If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach.

Russ

At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote:

David, I think this is a problem because X.509 states that the
freshest CRL extension SHALL only be used as a certificate extension.
The extension is identified by its OID and any other use of that OID
is non conformant with its definition. X.509 currently has the delta info extension to point
from a CRL to related delta CRLs. If the syntax of that extension is
insufficient, then one of the following should happen:
- a new extension is defined that meets the need
- syntax of delta info extension is extended or modified to satisfy the need
- text for freshest CRL extension is modified to allow it to be a certificate
as well as a CRL extension.

The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of
defects out for final ballot, this is timely. I don't recall specific discussion
that drove the freshest CRL to be a certificate only extension, but I think the text was
basically modelled after CRL DP extension.

Is there firm agreement in PKIX that this is required? If so, we should propose
the change to the 509 list - This could either be done as part of the current enhancements
work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical
extension) or it might be suitable for the defect process.

Cheers,
Sharon

Prev by Date: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments
Next by Date: Re: Meaning of Non-repudiation
Previous by thread: Customer Care Center 22227
Next by thread: New Defect Report on X.509
Index(es):
- Date
- Thread