[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Recommendation on subject matching rules needed..

To: <ietf-pkix@xxxxxxx>
Subject: RE: Recommendation on subject matching rules needed..
From: "Vainikainen Saku EINT" <Saku.Vainikainen@xxxxxxxx>
Date: Tue, 11 Mar 2003 17:47:50 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcLn4svGu4NtA11ySXuNhQWYjfy8FwAAUdIQ
Thread-topic: Recommendation on subject matching rules needed..


> > Allow decrypt
> > 
> > 1) if Subject Key Identifiers match
> > 2) if Subject Unique Identifiers match
> > 3) if Subjects + Subject Alt. Names match
> > 4) if Issuer Key Identifiers match
> > 5) if Issuer Unique Identifiers match
> > 6) if Issuers match
> 
> Shouldn't just being in possession of the private key be enough to 
> decrypt previously encrypted data. (what is a certificate 
> needed for in this use case? )
> 
> I can think of a minor reason to have a certificate: to locate the 
> key pair by searching for subject and key usage - however, 
> that should not be the only way by which a software can 
> locate the right key to use, or?

I suppose if the cert is not used to locate the key, then the only way
to find out which key to use would be to decrypt with all available keys
and try to make sense of the decrypted data to figure out which key was
the proper one..

Anyways at least the email clients want to check the e-mail address in
the cert as well as issuer+serno or do some form of binary match on the
certs.

Saku.

Prev by Date: RE: Recommendation on subject matching rules needed..
Next by Date: Re: Recommendation on subject matching rules needed..
Previous by thread: RE: Recommendation on subject matching rules needed..
Next by thread: RE: Recommendation on subject matching rules needed..
Index(es):
- Date
- Thread