[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate policy question

To: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>, "Richard Levitte - VMS Whacker" <levitte@xxxxx>, <pgut001@xxxxxxxxxxxxxxxxx>
Subject: RE: Certificate policy question
From: "Christopher S. Francis" <chris.francis@xxxxxxxxxxxxxxxx>
Date: Thu, 12 Dec 2002 14:31:09 -0500
Cc: <dwfilli@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I completely agree with Ambarish's interpretation.  


Chris
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Ambarish Malpani
Sent: Thursday, December 12, 2002 12:43 PM
To: Richard Levitte - VMS Whacker; pgut001@xxxxxxxxxxxxxxxxx
Cc: dwfilli@xxxxxxxxxxxxxx; ietf-pkix@xxxxxxx
Subject: RE: Certificate policy question


Richard,
    You might want to regard the certificate as being compatible
with *both* the policies specified. If either of the policies
is acceptable for your needs (and you can create a valid path),
feel free to accept the certificate. That is the best you can
do as certificate processing software.

If the CA should not have issued a cert with both policies (because
they a incompatible, etc.), that is a problem you should let the CA
deal with.


My 2c.
Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Richard Levitte -
VMS
> Whacker
> Sent: Thursday, December 12, 2002 3:14 AM
> To: pgut001@xxxxxxxxxxxxxxxxx
> Cc: dwfilli@xxxxxxxxxxxxxx; ietf-pkix@xxxxxxx
> Subject: Re: Certificate policy question
>
>
>
> In message <200212120156.gBC1uZb28698@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> on Thu, 12 Dec 2002 14:56:35 +1300, pgut001@xxxxxxxxxxxxxxxxx
> (Peter Gutmann) said:
>
> pgut001> Actually that probably provides the answer to the question: >
> pgut001> 1 policy in an EE cert, where one policy isn't a
> pgut001> subset/refinement/compatible version of the other [0],
> pgut001> demonstrates that the issuer is sufficiently confused over
> pgut001> policy issues that the cert should be regarded as following
> pgut001> no policy at all :-).
>
> So, out of curiosity, would you regard that cerificate as valid or
> invalid (I hope to code better validation into OpenSSL, and handling
> of policies is certainly a large part, so I'm interested as well :-))?
> I'd opt for invalid unless someone can tell me I should regard as
> valid and why.  I'd even go one step further and regard an EE
> certificate with more than policy as suspicious, at least.
>
> pgut001> [0] Figuring out how to check for this is left as an
> pgut001> exercise for the reader.
>
> :-)
>
> --
> Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
> Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
> T: +46-708-26 53 44 |                             | SWEDEN
>      "Price, performance, quality...  choose the two you like"
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- RE: Certificate policy question
  - From: Ambarish Malpani

Prev by Date: Re: Certificate policy question
Next by Date: Re: Certificate policy question
Previous by thread: Re: Certificate policy question
Next by thread: Re: Certificate policy question
Index(es):
- Date
- Thread