[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-pkix-pi-06.txt

To: pkix <ietf-pkix@xxxxxxx>
Subject: Re: I-D ACTION:draft-ietf-pkix-pi-06.txt
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 05 Dec 2002 16:21:51 +0100
Cc: Jeff Schiller <jis@xxxxxxx>, Tom Gindin <tgindin@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Some additional information about: draft-ietf-pkix-pi-06.txt

The editors have received a request from the security area Director,
Jeff Schiller to add some clarifications.

"This document appears to introduce the notion of an Assigner Authority, but never really defines it. Is it a government, a corporation, an enterprise, all of the above? There should be a section that discusses this. Note: If it is defined elsewhere, then an appropriate normative reference should be made."

We have added text on page 2, section 1, to define it:

   A permanent identifier consists of an identifier value assigned
   within a given naming space by the organization which is
   authoritative for that naming space.  Such an organization is known
   as an Assigner Authority.

   An Assigner Authority may be a government, a government agency, a
   corporation, or any other sort of organization.  It MUST have a
   unique identifier to distinguish it from any other such authority.
   In this standard, that identifier MUST be an object identifier or
   be representable as a URI.

"An important consideration is missing from the Security Considerations. Namely, that there is nothing that prevents a CA from issuing a certificate with a globally unique permanent identifier that belongs to an entity different then the entity that is controlling that certificates private key. I.e., there is no technical enforcement mechanism to ensure that only global identifiers approved of by the correct Assigner Authority are placed in a certificate."

There is no enforcement, but the CA is responsible for all the information present in the certificate. We have added text in section 3:

   It is the responsibility of the CA to verify that
   the permanent identifier being included in the certificate refers
   to the subject being certified.

During the last IETF Last call (not to be confused with the WG last call) the editors have received a request to add some more material in the informative annex.

We also have added a new section B3 and the authors have indicated to us that they were satisfied with the addition.

For all these reasons a new draft has been submitted and placed on the web server.

Denis

References:
- I-D ACTION:draft-ietf-pkix-pi-06.txt
  - From: Internet-Drafts

Prev by Date: I-D ACTION:draft-ietf-pkix-pi-06.txt
Next by Date: CDP in self signed root CA
Previous by thread: I-D ACTION:draft-ietf-pkix-pi-06.txt
Next by thread: CDP in self signed root CA
Index(es):
- Date
- Thread