[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments

To: ietf-pkix@xxxxxxx
Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Wed, 18 Apr 2001 13:08:09 -0400
References: <> <> <> <> <3ADDC6B4.13B96602@missi.ncsc.mil>
Sender: dpkemp@xxxxxxxxxxxxxxxxxxxxxxx

P.S., my preference is to not use the cA bit to make a distinction
between types of CRL signers, in which case the text is much simpler:

      The cRLSign bit MUST be asserted when the subject public key is
      used for verifying a signature on a CertificateList (e.g., a CRL).
      
      If the keyCertSign bit is asserted, then the cA bit in the 
      basic constraints extension (see 4.2.1.10) MUST be asserted.
      If the keyCertSign bit is not asserted, then the cA bit
      in the basic constraints extension MUST NOT be asserted.

Dave



"David P. Kemp" wrote:
> 
> The 9:25 AM version was clearer.  This version adds a restriction on
> which type of authority may sign which type of revocation list.  Neither
> version defines "CA certificate"; my impression was that
> 
>   If the cA bit is set, then the certificate *is* a CA certificate,
> 
> not the backwards-sounding
> 
>   If the cRLSign bit is asserted in a CA certificate, then the cA bit
>   MUST be asserted.
> 
> How about the following:
> 
>       The cRLSign bit is asserted when the subject public key is used
>       for verifying a signature on a CertificateList (e.g., a CRL).
>       If the cA bit in the basic constraints extension (see 4.2.1.10)
>       is not asserted, then the public key MUST NOT be used to verify
>       signatures on CRLs containing revocation information for public
>       key certificates, however it may be used to verify signatures
>       on CRLs containing revocation information for other types of
>       certificates (e.g., attribute certificates).
>    *  If the cA bit is asserted, then the public key MUST NOT be used
>    *  to verify signatures on CRLs containing revocation information
>    *  for certificates other than public key certificates.
> 
>       If the keyCertSign bit is asserted, then the cA bit in the basic
>       constraints extension MUST be asserted.  If neither the cRLSign
>       bit nor the keyCertSign bit are asserted, then the cA bit in the
>       basic constraints extension MUST NOT be asserted.
> 
> The third sentence (marked ***) is new; I don't know if you intended
> the asymmetry of allowing CAs to revoke ACs but forbidding AAs from
> revoking PKCs.  If neither CAs nor AAs can revoke the other's certs,
> then the third sentence is needed.
> 
> Dave

Follow-Ups:
- Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
  - From: David A. Cooper

References:
- Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
  - From: Stephen Farrell
- RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments
  - From: Jim Schaad
- Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
  - From: Russ Housley
- Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
  - From: Stephen Farrell

Prev by Date: CMP: Use of PKIMessages
Next by Date: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments
Previous by thread: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
Next by thread: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
Index(es):
- Date
- Thread