[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject:
From: "Jacoby, Jeffrey" <jjacoby@xxxxxxxxxxxxxxx>
Date: Thu, 12 Dec 2002 16:30:45 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Steve Hanna wrote:
> 
> I will add my voice to the growing crowd emphasizing that
> there are many good reasons to have multiple certificate
> policies in a single certificate (EE or CA). Sharon gave
> several good examples.
> 
> Asserting "conflicting" policies is bad, but there's no
> way for software to determine whether two policies conflict.

Just to be sure I'm clear, are you saying asserting conflicting
in the *certificate* is bad, or that after path processing
conflicting acceptable policiis are bad?

If the latter, then I whole-heartedly agree, but there is
no easy mechanism for detecting and resolving the conflict 
in an automated way, as you note...

> It would need to download the CP and/or CPS and interpret
> the language there to decide whether the policies conflict.
> Heck, most humans can't do that!

If the former, then I don't agree.  I view the policies
in a certificate as indicating what the cert is potentially
*capable* of satisfying--not quite the word I want but it'll
do for now.  Asserting both P and !P would mean to me the cert 
could be good for either even if you shouldn't have both when 
all is said and done.  The final determination is left to the 
path processing (which may eliminate the conflicting policy) 
or possibly to the application (or user).

Jeff
.

Prev by Date: Re: Certificate policy question
Next by Date: RE: Certificate policy question
Previous by thread: OCSP deployment data?
Next by thread: e-Government uses "Authority-stamp-signatures"
Index(es):
- Date
- Thread