[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clarification request on RFC 2560
John Thielens wrote:
>
> > 4) a sequence (chain) of (possibly) "useful" X.509 certificates ?
>
> I believe #4 is the correct answer (I have seen enough variation in the ordering to preclude #1 and #2 -- perhaps this is why CMS uses SET OF instead of SEQUENCE OF, although it also commits the sin of OPTIONAL without SIZE (1..MAX)). #4 puts the onus squarely on the relying party's shoulders to assess the applicability of the certificates to substantiate the signature. Of course, the server SHOULD only put in useful certs, but the client MUST NOT count on it.
>
If the client can not count on something, this feature is not very
useful. In this case, the client must still implement functionality for
retrieving certificates needed for verification of the OCSP response
(this is a MUST, because I can't rely on the OCSP response itself).
Retrieving certificates from the OCSP response itself means that the
client developer must do additional work in hope that some OCSP
responder will put something useful in the response.
I would suggest explicitly stating the assumptions that the client can
make about the content of the certs field, and if these assumptions
consist of an empty set, removing this field as it only complicates
things without providing any measurable value.
--
Margus