[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: Qualified Certificates

To: jimsch@xxxxxxxxxx
Subject: RE: Last Call: Qualified Certificates
From: "Nystrom, Magnus" <mnystrom@xxxxxxxxxxxxxxx>
Date: Thu, 18 Dec 2003 09:32:37 +0100 (W. Europe Standard Time)
Cc: ietf-pkix@xxxxxxx, "'Stefan Santesson'" <stefans@xxxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Reply-to: "Nystrom, Magnus" <magnus@xxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Jim,

Please find my reply below.

On Wed, 17 Dec 2003, Jim Schaad wrote:

> Magnus,
>
> Only one issue left....
>
> > -----Original Message-----
> > From: owner-ietf-pkix@xxxxxxxxxxxx
> > [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Nystrom, Magnus
> >
> > Jim,
> >
> > Thanks for continuing the discussion... Some replies below.
> >
> > On Wed, 17 Dec 2003, Jim Schaad wrote:
> >
> > > > -----Original Message-----
> > > >
> > > > Thanks for your review. I'll respond to a few of your comments
> > > > here.
> > > > > 10. Sectin 3.2.5.1 - I have decided to put the predefined
> > > > > statement into my QC.  After reading this document I understand
> > > > > that what I want stearts as follows:
> > > > >
> > > > > 	EXTENSION { id-pe-qcStatements,
> > > > > 			{ id-qcs-pkixQCSyntax-v1, {ABSENT, ? }}
> > > > > In this case I don't have asemanticsIdentifier created by the
> > > > > document, so I must be incoluding the
> > > > > NameRegistrationAuthorities otion.  However I don't know if what
> > > > > goes here is the pkix working group name or some other value.
> > > >
> > > > I am not sure I understand your question Jim, but values for the
> > > > nameRegistrationAuthorities component has nothing to do with PKIX.
> > > > It is the OID for the authority responsible for the subject's name
> > > > (or attributes of the subject's name) as it appears in the
> > > > certificate. I thought this was clear from 3.2.5.1?  Likewise for
> > > > the semanticsIdentifier option - it is to be specified by/for that
> > > > authority.
> > >
> > > LET ME QUOTE:
> > >
> > >    --  This statement identifies conformance with syntax and
> > >    --  semantics defined in this Qualified Certificate profile
> > >    --  (Version 1). The SemanticsInformation may optionally contain
> > >    --  additional semantics information as specified.
> > >
> > > As I read this statement there should be an OID that identifies this
> > > DOCUMENT as a name registration authority.
> >
> > No, that was not the intent - this document should not be a name
> > registration authority.
> >
> > Note the syntax: A QCStatement is a SEQUENCE of a statementID
> > component (an OID) and an optional statementInfo. For the object
> > qcStatement-1, the statementInfo component is a value of type
> > SemanticsInformation. The semantics of qcStatement-1 is that the
> > certificate has been issued in conformance with syntax and semantics
> > identified in this document. In the case of qcStatement-1, the
> > statementInfo component (which is of type SemanticsInformation) "MAY
> > contain a semantics identifier and MAY identify one or more name
> > registration authorities."  ("MAY" since the components are optional).
> >
> > As stated in the document, the semanticsIdentifier component of a
> > SemanticsInformation value contains an OID which defines semantics for
> > certain attributes and names in basic certificate fields, and the
> > nameRegistrationAuthorities component contains the name of one or more
> > authorities responsible for the registration of attributes or names
> > associated with the subject and the association between such an
> > authority and present attributes MAY be defined by a
> > semanticsIdentifier OID.
> >
> > > If I use the fields defined by this document and use the defined OID
> > > in this document, then I need to be able to correction encode this
> > > extension in my certificate without reference to an external naming
> > > authority.  If this is not the case then there is absolutely no
> > > reason to have section 3.1 or 3.2.1, 3.2.2, 3.2.3 or 3.2.4 as they
> > > are defining how these fields should be used.
> > >
> > > I need a way to refer to this document as either the
> > > semanticsIdentifier or the nameRegistrationAuthority.
> >
> > As I see it, you shouldn't. The statementInfo component is
> > optional. If all you want to say is that you're conformant
> > with syntax and semantics of this document then you set the
> > statementID to id-qcs-pkixQCSyntax-v1 and leave out the
> > statementInfo component. If there is some well-known OID that
> > defines semantics for a set of attributes and/or names used
> > then include the statementInfo component, and set the
> > semanticsIdentifier component. If you just want to name a
> > registration authority then include the statementInfo
> > component and set its nameRegistrationAuthority component. If
> > you want to associate a name a registration authority with
> > semantics for certain attributes then set both components of
> > the SemanticsInformation.
> >
> > I have tried to capture our thinking above, but I may have
> > missed something as we wrote this almost four years ago.
> > Stefan, feel free to correct me if I got something wring.
> >
> > Did this help at all, Jim?
>
> This does and does not help.  I can now understand how you think that I
> should be encoding this extension.  However in reviewing the document I
> do not see any statements about the fact that the presence of
> QCStatements being optional.  This needs to be clarified in the
> document.

I think there is some confusion here. QCStatements is not optional. But
each QCStatement has the syntax

   QCStatement ::= SEQUENCE {
       statementId   QC-STATEMENT.&Id({SupportedStatements}),
       statementInfo QC-STATEMENT.&Type
       ({SupportedStatements}{@statementId}) OPTIONAL }

(or in older syntax:

QCStatement ::= SEQUENCE {
    statementId        OBJECT IDENTIFIER,
    statementInfo      ANY DEFINED BY statementId OPTIONAL}
)

I.e. the statementInfo component of each QCStatement value is OPTIONAL.
So, if you use this extension, you can have a QCStatement with the
statementId value set to the statement OID defined in the document, but
you don't need to have a statementInfo component present.

> The document does require that either statementInfo or statementId be
> present within the QCStatement object however.

(QCStatement is a type, not an object)

No, it requires that either the semanticsIdentifier or the
nameRegistrationAuthorities components (or both) be present in a value of
type SemanticsInformation which is the syntax for the qcStatement-1
object. This should not be confused with the QCStatement type. If the
statementId component of a QCStatement value has the value
id-qcs-pkixQCSyntax-v1 then the statementInfo component is still optional,
but if present it must have the syntax SemanticsInformation for which it
holds that at least one of its components must be present.

> Thus if QCStatements is not OPTIONAL (my reading of your above
> statement) then a statement as to how to encode as using the
> "conformance and semantics defined in this document" needs to be made.

QCStatements is not OPTIONAL, but you don't need to populate individual
QCStatement's statementInfo components, as described above.

-- Magnus

Follow-Ups:
- RE: Last Call: Qualified Certificates
  - From: Jim Schaad

References:
- RE: Last Call: Qualified Certificates
  - From: Jim Schaad

Prev by Date: RE: Last Call: Qualified Certificates
Next by Date: RE: Last Call: Qualified Certificates
Previous by thread: RE: Last Call: Qualified Certificates
Next by thread: RE: Last Call: Qualified Certificates
Index(es):
- Date
- Thread