[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate policy question

To: pgut001@xxxxxxxxxxxxxxxxx
Subject: Re: Certificate policy question
From: Richard Levitte - VMS Whacker <levitte@xxxxx>
Date: Wed, 11 Dec 2002 09:21:25 +0100 (CET)
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

In message <200212110519.gBB5J0q24189@xxxxxxxxxxxxxxxxxxxxxxxxxx> on Wed, 11 Dec 2002 18:19:00 +1300, pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) said:

pgut001> [Warning: This is one of those questions which is probably
pgut001>           best answered in the Style Guide with a note saying
pgut001>           "Don't do that"]
pgut001> 
pgut001> Someone just sent me yet another weird cert [0] which has two
pgut001> different, in some places mutually exclusive, policies (that
pgut001> is, CPSes) in the certificatePolicies.  I know the de facto
pgut001> standard handling for this is to ignore the policy, but
pgut001> what's the official word on this?  Do you pick the one you
pgut001> like best and ignore the rest?  Use the LSB of the public key
pgut001> as an index to pick one?  Pop up a copy of Acrobat in a
pgut001> dialog box, ask the user to read the 100-odd-page CPSes, and
pgut001> pick the one with the flashiest graphic on the cover?

What's the context?  What kind of certificate are we talking about, an
EE certificate or a CA one?  If it's an EE cert, I can understand the
confusion, but if it's a CA one, doesn't that simply describe the
applicability of certificates certified by said CA?  In the CA case,
doesn't the way you handle it have a lot to do with mappings along the
way and what policies you accept at the end (or beginning) of
validation?

If I assume a somewhat bastardous attitude, I'd say such a certificate
invalidates the whole path, IF you end up having those clashing
policies in your state at the end of path construction/validation.

pgut001> I'd like to at least do *something* in my code other than
pgut001> just ignoring it.

I'd agree with that.

pgut001> [0] The cool thing about 2459/3280's complexity is that
pgut001>     everyone gets their own mistake arc without ever having
pgut001>     to duplicate anyone else's.  Maybe we could formalise
pgut001>     this with OIDs or something :-).

A friend of mine expressed something similar: "Standards are a good
thing, everyone should have his own".

-- 
Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
T: +46-708-26 53 44 |                             | SWEDEN
     "Price, performance, quality...  choose the two you like"

References:
- Certificate policy question
  - From: Peter Gutmann

Prev by Date: Certificate policy question
Next by Date: RFC 2527 Revision
Previous by thread: Certificate policy question
Next by thread: RE: Certificate policy question
Index(es):
- Date
- Thread