[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarification request on RFC 2560

To: "Pkix (E-mail)" <ietf-pkix@xxxxxxx>
Subject: Re: Clarification request on RFC 2560
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 14 Sep 2001 11:48:50 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Is that 99.9999% of all PKI programs (i.e. SSL clients, which are forbidden
from handling cross-certification*), or 99.9999% of those PKI programs,
such as S/MIME, whose specifications are not so short sighted as to forbid it?

Dave


* SSL 3.0: "certificate_list - This is a sequence (chain) of X.509 certificates,
            ordered with the sender's certificate first and the [sender's] root
            certificate authority last."



Rich Salz wrote:
> 
> > An OCSP client might assume that only a single certificate corresponds
> > to the responder ID and for example just look for the first certificate
> > in the certs attribute which matches the reponder ID and verify that.
> 
> I think most -- like 99.9999% -- PKI programs are not equipped to handle
> cross-certified entities.
>         /r$
> 
> --
> Zolera Systems, Your Key to Online Integrity
> Securing Web services: XML, SOAP, Dig-sig, Encryption
> http://www.zolera.com

Follow-Ups:
- Re: Clarification request on RFC 2560
  - From: Rich Salz
- Re: Clarification request on RFC 2560
  - From: Denis Pinkas

References:
- RE: Clarification request on RFC 2560
  - From: Ryan Hurst
- Re: Clarification request on RFC 2560
  - From: Dr S N Henson
- Re: Clarification request on RFC 2560
  - From: Rich Salz

Prev by Date: CRLs for OCSP
Next by Date: RE: Clarification request on RFC 2560
Previous by thread: Re: Clarification request on RFC 2560
Next by thread: Re: Clarification request on RFC 2560
Index(es):
- Date
- Thread