[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Draft-ietf-pkix-proxy-06.txt

To: <jimsch@xxxxxxxxxx>
Subject: RE: Draft-ietf-pkix-proxy-06.txt
From: "Von Welch" <welch@xxxxxxxxxxx>
Date: Sun, 27 Jul 2003 21:14:51 -0500
Cc: "'pkix'" <ietf-pkix@xxxxxxx>, <tuecke@xxxxxxxxxxx>, "'Russ Housley'" <housley@xxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Jim,

 Given that this document has passed last call and been sent to the
editor, I'm actually not sure what my ability is to make changes at
this point.

 You've pointed out one objective error in 4.1.3, which I will
certainly try to correct. Your editoral suggestions I take note of and
if it is possible to make changes easily will incorporate. You also
suggestion some additions I feel we're past the point of making unless
the community really feels they are necessary.

 One response to your comments below.

Von

Jim Schaad writes (20:56 July 25, 2003):
 > >  > 7.  Section 4.2:  I have a complete lack of understanding 
 > > for the last  > three paragraphs in this section.
 > > 
 > > These paragraphs are addressing whether or not the {extended} 
 > > key usage extensions of it's issuer apply to it. It's really 
 > > ugly because these extensions are really ugly (they are in 
 > > part restrictions and in part capabilities), I'm not sure how 
 > > to clarify this.
 > 
 > Item #1.  Remove all references to key usage and just leave the extended
 > key usage.  For key usage, this text makes absolutely no sense.
 > 
 > Item #2.  I am not sure that I understand the justification for saying
 > the if you are independent, then you get to do anything you want, but if
 > otherwise you are restricted on what you can do.  

The issue that is being addressed here is that when a proxy is created
that inherits some rights from the issuer (i.e., the policyLanguage is
not independent) the {extended}keyUsage in the proxy certificate
should be constrained by the {extended}keyUsage of its issuer - a
proxy issuer shouldn't be able to grant to proxy certificate a right
they don't have.

It is an independent proxy, in which case our thinking is that it is
no longer inheriting any rights from the issuer, so it can be treated
as completely distinct. The issuer no longer matters in regards to
authorization rights for the proxy, so this means the
{extended}keyUsage constrains (which are really authorization) are now
free to be anything the issuer wants.

Follow-Ups:
- RE: Draft-ietf-pkix-proxy-06.txt
  - From: Paul Hoffman / IMC

References:
- Re: Draft-ietf-pkix-proxy-06.txt
  - From: Von Welch
- RE: Draft-ietf-pkix-proxy-06.txt
  - From: Jim Schaad

Prev by Date: RE: Re: Why is privateKeyUsagePeriod deprecated?
Next by Date: RE: Draft-ietf-pkix-proxy-06.txt
Previous by thread: RE: Draft-ietf-pkix-proxy-06.txt
Next by thread: RE: Draft-ietf-pkix-proxy-06.txt
Index(es):
- Date
- Thread