[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: Qualified Certificates

To: jimsch@xxxxxxxxxx
Subject: RE: Last Call: Qualified Certificates
From: "Nystrom, Magnus" <mnystrom@xxxxxxxxxxxxxxx>
Date: Thu, 18 Dec 2003 09:51:10 +0100 (W. Europe Standard Time)
Cc: ietf-pkix@xxxxxxx, "'Stefan Santesson'" <stefans@xxxxxxxxxxxxx>
In-reply-to: <006401c3c543$a469be60$1400a8c0@augustcellars.local>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <006401c3c543$a469be60$1400a8c0@augustcellars.local>
Reply-to: "Nystrom, Magnus" <magnus@xxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Jim,

The QCStatement.statementInfo component is optional for any and all
statements. It is not specific for qcStatement-1, it is governed by the
Type definition for QCStatement. Quoting from the text describing the
QCStatement type: "Each statement SHALL include an object identifier for
the statement and MAY also include optional qualifying data contained in
the statementInfo parameter." Adding a special statement for qcStatement-1
would be confusing, IMO.

-- Magnus

On Thu, 18 Dec 2003, Jim Schaad wrote:

> Magnus,
>
> This being the case, please add a textual statement that for
> qcStatement-1, the parameters SemanticsInformation is optional.
>
> jim
>
> > -----Original Message-----
> > From: Nystrom, Magnus [mailto:mnystrom@xxxxxxxxxxxxxxx]
> > Sent: Thursday, December 18, 2003 12:33 AM
> > To: jimsch@xxxxxxxxxx
> > Cc: ietf-pkix@xxxxxxx; 'Stefan Santesson'
> > Subject: RE: Last Call: Qualified Certificates
> >
> > Jim,
> >
> > Please find my reply below.
> >
> > On Wed, 17 Dec 2003, Jim Schaad wrote:
> >
> > > Magnus,
> > >
> > > Only one issue left....
> > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@xxxxxxxxxxxx
> > > > [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Nystrom, Magnus
> > > >
> > > > Jim,
> > > >
> > > > Thanks for continuing the discussion... Some replies below.
> > > >
> > > > On Wed, 17 Dec 2003, Jim Schaad wrote:
> > > >
> > > > > > -----Original Message-----
> > > > > >
> > > > > > Thanks for your review. I'll respond to a few of your
> > comments
> > > > > > here.
> > > > > > > 10. Sectin 3.2.5.1 - I have decided to put the predefined
> > > > > > > statement into my QC.  After reading this document I
> > > > > > > understand that what I want stearts as follows:
> > > > > > >
> > > > > > > 	EXTENSION { id-pe-qcStatements,
> > > > > > > 			{ id-qcs-pkixQCSyntax-v1, {ABSENT, ? }}
> > > > > > > In this case I don't have asemanticsIdentifier
> > created by the
> > > > > > > document, so I must be incoluding the
> > > > > > > NameRegistrationAuthorities otion.  However I don't know if
> > > > > > > what goes here is the pkix working group name or some other
> > > > > > > value.
> > > > > >
> > > > > > I am not sure I understand your question Jim, but
> > values for the
> > > > > > nameRegistrationAuthorities component has nothing to do with
> > > > > > PKIX. It is the OID for the authority responsible for the
> > > > > > subject's name (or attributes of the subject's name) as it
> > > > > > appears in the certificate. I thought this was clear from
> > > > > > 3.2.5.1?  Likewise for the semanticsIdentifier option
> > - it is to
> > > > > > be specified by/for that authority.
> > > > >
> > > > > LET ME QUOTE:
> > > > >
> > > > >    --  This statement identifies conformance with syntax and
> > > > >    --  semantics defined in this Qualified Certificate profile
> > > > >    --  (Version 1). The SemanticsInformation may
> > optionally contain
> > > > >    --  additional semantics information as specified.
> > > > >
> > > > > As I read this statement there should be an OID that identifies
> > > > > this DOCUMENT as a name registration authority.
> > > >
> > > > No, that was not the intent - this document should not be a name
> > > > registration authority.
> > > >
> > > > Note the syntax: A QCStatement is a SEQUENCE of a statementID
> > > > component (an OID) and an optional statementInfo. For the object
> > > > qcStatement-1, the statementInfo component is a value of type
> > > > SemanticsInformation. The semantics of qcStatement-1 is that the
> > > > certificate has been issued in conformance with syntax
> > and semantics
> > > > identified in this document. In the case of qcStatement-1, the
> > > > statementInfo component (which is of type
> > SemanticsInformation) "MAY
> > > > contain a semantics identifier and MAY identify one or more name
> > > > registration authorities."  ("MAY" since the components are
> > > > optional).
> > > >
> > > > As stated in the document, the semanticsIdentifier component of a
> > > > SemanticsInformation value contains an OID which defines
> > semantics
> > > > for certain attributes and names in basic certificate fields, and
> > > > the nameRegistrationAuthorities component contains the
> > name of one
> > > > or more authorities responsible for the registration of
> > attributes
> > > > or names associated with the subject and the association between
> > > > such an authority and present attributes MAY be defined by a
> > > > semanticsIdentifier OID.
> > > >
> > > > > If I use the fields defined by this document and use
> > the defined
> > > > > OID in this document, then I need to be able to
> > correction encode
> > > > > this extension in my certificate without reference to
> > an external
> > > > > naming authority.  If this is not the case then there is
> > > > > absolutely no reason to have section 3.1 or 3.2.1,
> > 3.2.2, 3.2.3 or
> > > > > 3.2.4 as they are defining how these fields should be used.
> > > > >
> > > > > I need a way to refer to this document as either the
> > > > > semanticsIdentifier or the nameRegistrationAuthority.
> > > >
> > > > As I see it, you shouldn't. The statementInfo component
> > is optional.
> > > > If all you want to say is that you're conformant with syntax and
> > > > semantics of this document then you set the statementID to
> > > > id-qcs-pkixQCSyntax-v1 and leave out the statementInfo
> > component. If
> > > > there is some well-known OID that defines semantics for a set of
> > > > attributes and/or names used then include the statementInfo
> > > > component, and set the semanticsIdentifier component. If you just
> > > > want to name a registration authority then include the
> > statementInfo
> > > > component and set its nameRegistrationAuthority component. If
> > > > you want to associate a name a registration authority with
> > > > semantics for certain attributes then set both components of
> > > > the SemanticsInformation.
> > > >
> > > > I have tried to capture our thinking above, but I may have missed
> > > > something as we wrote this almost four years ago. Stefan,
> > feel free
> > > > to correct me if I got something wring.
> > > >
> > > > Did this help at all, Jim?
> > >
> > > This does and does not help.  I can now understand how you
> > think that
> > > I should be encoding this extension.  However in reviewing the
> > > document I do not see any statements about the fact that
> > the presence
> > > of QCStatements being optional.  This needs to be clarified in the
> > > document.
> >
> > I think there is some confusion here. QCStatements is not
> > optional. But each QCStatement has the syntax
> >
> >    QCStatement ::= SEQUENCE {
> >        statementId   QC-STATEMENT.&Id({SupportedStatements}),
> >        statementInfo QC-STATEMENT.&Type
> >        ({SupportedStatements}{@statementId}) OPTIONAL }
> >
> > (or in older syntax:
> >
> > QCStatement ::= SEQUENCE {
> >     statementId        OBJECT IDENTIFIER,
> >     statementInfo      ANY DEFINED BY statementId OPTIONAL}
> > )
> >
> > I.e. the statementInfo component of each QCStatement value is
> > OPTIONAL. So, if you use this extension, you can have a
> > QCStatement with the statementId value set to the statement
> > OID defined in the document, but you don't need to have a
> > statementInfo component present.
> >
> > > The document does require that either statementInfo or
> > statementId be
> > > present within the QCStatement object however.
> >
> > (QCStatement is a type, not an object)
> >
> > No, it requires that either the semanticsIdentifier or the
> > nameRegistrationAuthorities components (or both) be present
> > in a value of type SemanticsInformation which is the syntax
> > for the qcStatement-1 object. This should not be confused
> > with the QCStatement type. If the statementId component of a
> > QCStatement value has the value id-qcs-pkixQCSyntax-v1 then
> > the statementInfo component is still optional, but if present
> > it must have the syntax SemanticsInformation for which it
> > holds that at least one of its components must be present.
> >
> > > Thus if QCStatements is not OPTIONAL (my reading of your above
> > > statement) then a statement as to how to encode as using the
> > > "conformance and semantics defined in this document" needs
> > to be made.
> >
> > QCStatements is not OPTIONAL, but you don't need to populate
> > individual QCStatement's statementInfo components, as described above.
> >
> > -- Magnus
> >
>

Follow-Ups:
- RE: Last Call: Qualified Certificates
  - From: Jim Schaad

References:
- RE: Last Call: Qualified Certificates
  - From: Jim Schaad

Prev by Date: RE: Last Call: Qualified Certificates
Next by Date: RE: WG Last Call: Additional Algorithms for RSA cryptography
Previous by thread: RE: Last Call: Qualified Certificates
Next by thread: RE: Last Call: Qualified Certificates
Index(es):
- Date
- Thread