[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-pkix-okid-01.txt

To: Paul Hoffman <phoffman@xxxxxxx>
Subject: Re: I-D ACTION:draft-ietf-pkix-okid-01.txt
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 14 Mar 2002 18:19:03 +0100
Cc: pkix <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Integris. A Bull Company
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Paul,

You made quite a good job, with this new specification since the hash is now
computed over the whole certificate instead of the public key only.

A few comments:

1. Editorial. Choose either OKID or OCKID. 
   I don't care as long as there is a single acronym.

2. I have some concerns with section 4 when it states:

Because the result of matching the OCKID to the CA certificate is that
the certificate will now become a trust anchor, the system MUST inform
the user of each of the following: 

- That the certificate has become a trust anchor

- The policies used by the issuer of this certificate to issue
subordinate certificates ([PKIX] section 4.2.1.5)

- The basic constraints placed on the issuer of this certificate, such
as the depth of subordinate chain that can be issued under this
certificate ([PKIX] section 4.2.1.10)

- The types of names for which the issuer of this certificate can create
certificates ([PKIX] section 4.2.1.11)

- The policy constraints placed on the issuer of this certificate
([PKIX] section 4.2.1.12)

The system SHOULD give the user a method for later removing the trust in
the CA certificate. The system MUST also check whether the certificate
is properly signed, that is, that the public key in the certificate is
in fact correctly verifies the contents of the certificate.

End of extract.

In most cases the user will only verify that the intended hash matches the
computed hash and will install the self-signed certificates. Controls like
checking the signature of the certificate may be recommanded but should not
be mandatory.

Hence I would propose a text along the following:

"Because the result of matching the OCKID to the CA certificate is that the
certificate will now become a trust anchor, the system MUST inform the user
that the certificate has become a trust anchor.

The system SHOULD give the user a method for later removing the trust in the
CA certificate. 

It MAY provide additional information to the user like:

- The policies used by the issuer of this certificate to issue subordinate
certificates ([PKIX] section 4.2.1.5)

- The basic constraints placed on the issuer of this certificate, such as
the depth of subordinate chain that can be issued under this certificate
([PKIX] section 4.2.1.10)

- The types of names for which the issuer of this certificate can create
certificates ([PKIX] section 4.2.1.11)

- The policy constraints placed on the issuer of this certificate ([PKIX]
section 4.2.1.12)

The system SHOULD also check whether the certificate is properly signed,
that is, that the public key in the certificate is in fact correctly
verifies the contents of the certificate."

Denis

Follow-Ups:
- Re: I-D ACTION:draft-ietf-pkix-okid-01.txt
  - From: Paul Hoffman / IMC

References:
- I-D ACTION:draft-ietf-pkix-okid-01.txt
  - From: Internet-Drafts

Prev by Date: RE: Attribute Certificate Policy??
Next by Date: Re: I-D ACTION:draft-ietf-pkix-okid-01.txt
Previous by thread: I-D ACTION:draft-ietf-pkix-okid-01.txt
Next by thread: Re: I-D ACTION:draft-ietf-pkix-okid-01.txt
Index(es):
- Date
- Thread