[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificate Path Validation

To: ietf-pkix@xxxxxxx
Subject: Certificate Path Validation
From: Sunil Agrawal <sagrawal@xxxxxxxxx>
Date: Fri, 02 Aug 2002 12:17:19 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dear PKIX WG:

I need some help on Certificate Path Validation.

If my trust anchor is a non self signed certificate, what should be the contents of the initial permitted_subtrees.

permitted_subtrees is defined as "a set of root names for each name type (e.g., X.500 distinguished names, email addresses, or ip addresses) defining a set of subtrees within which all subject names in subsequent certificates in the certification path MUST fall".

The RFC 3280, section 6.1.2, subsection b, says

"the initial value for the set for Distinguished Names is the set of all Distinguished names;"

So is the RFC recommending ignoring the Name constraints extension (if present) in the CA certificates that are higher in the hierarchy that the trust anchor ?

Is the recommendation same for excluded_subtrees and other policies?

TIA,
Sunil

Follow-Ups:
- Re: Certificate Path Validation
  - From: Denis Pinkas

Prev by Date: announcement of x500 meeting
Next by Date: OCSP concept question
Previous by thread: announcement of x500 meeting
Next by thread: Re: Certificate Path Validation
Index(es):
- Date
- Thread