RE: Last Call: Qualified Certificates

["Jim Schaad" <jimsch@xxxxxxxxxx>]

Magnus,

Only one issue left....

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Nystrom, Magnus
> 
> Jim,
> 
> Thanks for continuing the discussion... Some replies below.
> 
> On Wed, 17 Dec 2003, Jim Schaad wrote:
> 
> > > -----Original Message-----
> > >
> > > Thanks for your review. I'll respond to a few of your 
> comments here. 

> > > > 10. Sectin 3.2.5.1 - I have decided to put the predefined 
> > > > statement into my QC.  After reading this document I understand 
> > > > that what I want stearts as follows:
> > > >
> > > > 	EXTENSION { id-pe-qcStatements,
> > > > 			{ id-qcs-pkixQCSyntax-v1, {ABSENT, ? }}
> > > > In this case I don't have asemanticsIdentifier created by the 
> > > > document, so I must be incoluding the 
> NameRegistrationAuthorities 
> > > > otion.  However I don't know if what goes here is the 
> pkix working 
> > > > group name or some other value.
> > >
> > > I am not sure I understand your question Jim, but values for the 
> > > nameRegistrationAuthorities component has nothing to do 
> with PKIX. 
> > > It is the OID for the authority responsible for the 
> subject's name 
> > > (or attributes of the subject's name) as it appears in the 
> > > certificate. I thought this was clear from 3.2.5.1?  Likewise for 
> > > the semanticsIdentifier option - it is to be specified 
> by/for that 
> > > authority.
> >
> > LET ME QUOTE:
> >
> >    --  This statement identifies conformance with syntax and
> >    --  semantics defined in this Qualified Certificate profile
> >    --  (Version 1). The SemanticsInformation may optionally contain
> >    --  additional semantics information as specified.
> >
> > As I read this statement there should be an OID that 
> identifies this 
> > DOCUMENT as a name registration authority.
> 
> No, that was not the intent - this document should not be a 
> name registration authority.
> 
> Note the syntax: A QCStatement is a SEQUENCE of a statementID 
> component (an OID) and an optional statementInfo. For the 
> object qcStatement-1, the statementInfo component is a value 
> of type SemanticsInformation. The semantics of qcStatement-1 
> is that the certificate has been issued in conformance with 
> syntax and semantics identified in this document. In the case 
> of qcStatement-1, the statementInfo component (which is of type
> SemanticsInformation) "MAY contain a semantics identifier and 
> MAY identify one or more name registration authorities." 
> ("MAY" since the components are optional).
> 
> As stated in the document, the semanticsIdentifier component 
> of a SemanticsInformation value contains an OID which defines 
> semantics for certain attributes and names in basic 
> certificate fields, and the nameRegistrationAuthorities 
> component contains the name of one or more authorities 
> responsible for the registration of attributes or names 
> associated with the subject and the association between such 
> an authority and present attributes MAY be defined by a 
> semanticsIdentifier OID.
> 
> > If I use the fields defined by this document and use the 
> defined OID 
> > in this document, then I need to be able to correction encode this 
> > extension in my certificate without reference to an external naming 
> > authority.  If this is not the case then there is 
> absolutely no reason 
> > to have section 3.1 or 3.2.1, 3.2.2, 3.2.3 or 3.2.4 as they are 
> > defining how these fields should be used.
> >
> > I need a way to refer to this document as either the 
> > semanticsIdentifier or the nameRegistrationAuthority.
> 
> As I see it, you shouldn't. The statementInfo component is 
> optional. If all you want to say is that you're conformant 
> with syntax and semantics of this document then you set the 
> statementID to id-qcs-pkixQCSyntax-v1 and leave out the 
> statementInfo component. If there is some well-known OID that 
> defines semantics for a set of attributes and/or names used 
> then include the statementInfo component, and set the 
> semanticsIdentifier component. If you just want to name a 
> registration authority then include the statementInfo 
> component and set its nameRegistrationAuthority component. If 
> you want to associate a name a registration authority with 
> semantics for certain attributes then set both components of 
> the SemanticsInformation.
> 
> I have tried to capture our thinking above, but I may have 
> missed something as we wrote this almost four years ago. 
> Stefan, feel free to correct me if I got something wring.
> 
> Did this help at all, Jim?

This does and does not help.  I can now understand how you think that I
should be encoding this extension.  However in reviewing the document I
do not see any statements about the fact that the presence of
QCStatements being optional.  This needs to be clarified in the
document.  The document does require that either statementInfo or
statementId be present within the QCStatement object however. Thus if
QCStatements is not OPTIONAL (my reading of your above statement) then a
statement as to how to encode as using the "conformance and semantics
defined in this document" needs to be made.

jim