[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Last Call: Qualified Certificates
Magnus,
This being the case, please add a textual statement that for
qcStatement-1, the parameters SemanticsInformation is optional.
jim
> -----Original Message-----
> From: Nystrom, Magnus [mailto:mnystrom@xxxxxxxxxxxxxxx]
> Sent: Thursday, December 18, 2003 12:33 AM
> To: jimsch@xxxxxxxxxx
> Cc: ietf-pkix@xxxxxxx; 'Stefan Santesson'
> Subject: RE: Last Call: Qualified Certificates
>
>
> Jim,
>
> Please find my reply below.
>
> On Wed, 17 Dec 2003, Jim Schaad wrote:
>
> > Magnus,
> >
> > Only one issue left....
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@xxxxxxxxxxxx
> > > [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Nystrom, Magnus
> > >
> > > Jim,
> > >
> > > Thanks for continuing the discussion... Some replies below.
> > >
> > > On Wed, 17 Dec 2003, Jim Schaad wrote:
> > >
> > > > > -----Original Message-----
> > > > >
> > > > > Thanks for your review. I'll respond to a few of your
> comments
> > > > > here.
> > > > > > 10. Sectin 3.2.5.1 - I have decided to put the predefined
> > > > > > statement into my QC. After reading this document I
> > > > > > understand that what I want stearts as follows:
> > > > > >
> > > > > > EXTENSION { id-pe-qcStatements,
> > > > > > { id-qcs-pkixQCSyntax-v1, {ABSENT, ? }}
> > > > > > In this case I don't have asemanticsIdentifier
> created by the
> > > > > > document, so I must be incoluding the
> > > > > > NameRegistrationAuthorities otion. However I don't know if
> > > > > > what goes here is the pkix working group name or some other
> > > > > > value.
> > > > >
> > > > > I am not sure I understand your question Jim, but
> values for the
> > > > > nameRegistrationAuthorities component has nothing to do with
> > > > > PKIX. It is the OID for the authority responsible for the
> > > > > subject's name (or attributes of the subject's name) as it
> > > > > appears in the certificate. I thought this was clear from
> > > > > 3.2.5.1? Likewise for the semanticsIdentifier option
> - it is to
> > > > > be specified by/for that authority.
> > > >
> > > > LET ME QUOTE:
> > > >
> > > > -- This statement identifies conformance with syntax and
> > > > -- semantics defined in this Qualified Certificate profile
> > > > -- (Version 1). The SemanticsInformation may
> optionally contain
> > > > -- additional semantics information as specified.
> > > >
> > > > As I read this statement there should be an OID that identifies
> > > > this DOCUMENT as a name registration authority.
> > >
> > > No, that was not the intent - this document should not be a name
> > > registration authority.
> > >
> > > Note the syntax: A QCStatement is a SEQUENCE of a statementID
> > > component (an OID) and an optional statementInfo. For the object
> > > qcStatement-1, the statementInfo component is a value of type
> > > SemanticsInformation. The semantics of qcStatement-1 is that the
> > > certificate has been issued in conformance with syntax
> and semantics
> > > identified in this document. In the case of qcStatement-1, the
> > > statementInfo component (which is of type
> SemanticsInformation) "MAY
> > > contain a semantics identifier and MAY identify one or more name
> > > registration authorities." ("MAY" since the components are
> > > optional).
> > >
> > > As stated in the document, the semanticsIdentifier component of a
> > > SemanticsInformation value contains an OID which defines
> semantics
> > > for certain attributes and names in basic certificate fields, and
> > > the nameRegistrationAuthorities component contains the
> name of one
> > > or more authorities responsible for the registration of
> attributes
> > > or names associated with the subject and the association between
> > > such an authority and present attributes MAY be defined by a
> > > semanticsIdentifier OID.
> > >
> > > > If I use the fields defined by this document and use
> the defined
> > > > OID in this document, then I need to be able to
> correction encode
> > > > this extension in my certificate without reference to
> an external
> > > > naming authority. If this is not the case then there is
> > > > absolutely no reason to have section 3.1 or 3.2.1,
> 3.2.2, 3.2.3 or
> > > > 3.2.4 as they are defining how these fields should be used.
> > > >
> > > > I need a way to refer to this document as either the
> > > > semanticsIdentifier or the nameRegistrationAuthority.
> > >
> > > As I see it, you shouldn't. The statementInfo component
> is optional.
> > > If all you want to say is that you're conformant with syntax and
> > > semantics of this document then you set the statementID to
> > > id-qcs-pkixQCSyntax-v1 and leave out the statementInfo
> component. If
> > > there is some well-known OID that defines semantics for a set of
> > > attributes and/or names used then include the statementInfo
> > > component, and set the semanticsIdentifier component. If you just
> > > want to name a registration authority then include the
> statementInfo
> > > component and set its nameRegistrationAuthority component. If
> > > you want to associate a name a registration authority with
> > > semantics for certain attributes then set both components of
> > > the SemanticsInformation.
> > >
> > > I have tried to capture our thinking above, but I may have missed
> > > something as we wrote this almost four years ago. Stefan,
> feel free
> > > to correct me if I got something wring.
> > >
> > > Did this help at all, Jim?
> >
> > This does and does not help. I can now understand how you
> think that
> > I should be encoding this extension. However in reviewing the
> > document I do not see any statements about the fact that
> the presence
> > of QCStatements being optional. This needs to be clarified in the
> > document.
>
> I think there is some confusion here. QCStatements is not
> optional. But each QCStatement has the syntax
>
> QCStatement ::= SEQUENCE {
> statementId QC-STATEMENT.&Id({SupportedStatements}),
> statementInfo QC-STATEMENT.&Type
> ({SupportedStatements}{@statementId}) OPTIONAL }
>
> (or in older syntax:
>
> QCStatement ::= SEQUENCE {
> statementId OBJECT IDENTIFIER,
> statementInfo ANY DEFINED BY statementId OPTIONAL}
> )
>
> I.e. the statementInfo component of each QCStatement value is
> OPTIONAL. So, if you use this extension, you can have a
> QCStatement with the statementId value set to the statement
> OID defined in the document, but you don't need to have a
> statementInfo component present.
>
> > The document does require that either statementInfo or
> statementId be
> > present within the QCStatement object however.
>
> (QCStatement is a type, not an object)
>
> No, it requires that either the semanticsIdentifier or the
> nameRegistrationAuthorities components (or both) be present
> in a value of type SemanticsInformation which is the syntax
> for the qcStatement-1 object. This should not be confused
> with the QCStatement type. If the statementId component of a
> QCStatement value has the value id-qcs-pkixQCSyntax-v1 then
> the statementInfo component is still optional, but if present
> it must have the syntax SemanticsInformation for which it
> holds that at least one of its components must be present.
>
> > Thus if QCStatements is not OPTIONAL (my reading of your above
> > statement) then a statement as to how to encode as using the
> > "conformance and semantics defined in this document" needs
> to be made.
>
> QCStatements is not OPTIONAL, but you don't need to populate
> individual QCStatement's statementInfo components, as described above.
>
> -- Magnus
>