[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Last Call: Qualified Certificates
Magnus,
My default assumption is that if you define a statementId and an
assoicated statementInfo, the statementInfo must be present for that
statementId unless otherwise documented in the definition of the
statementId. The text you cite below allows me to create a statementId
and either define the statementInfo as absent or optional.
jim
> -----Original Message-----
> From: Nystrom, Magnus [mailto:mnystrom@xxxxxxxxxxxxxxx]
> Sent: Thursday, December 18, 2003 12:51 AM
> To: jimsch@xxxxxxxxxx
> Cc: ietf-pkix@xxxxxxx; 'Stefan Santesson'
> Subject: RE: Last Call: Qualified Certificates
>
>
> Jim,
>
> The QCStatement.statementInfo component is optional for any
> and all statements. It is not specific for qcStatement-1, it
> is governed by the Type definition for QCStatement. Quoting
> from the text describing the QCStatement type: "Each
> statement SHALL include an object identifier for the
> statement and MAY also include optional qualifying data
> contained in the statementInfo parameter." Adding a special
> statement for qcStatement-1 would be confusing, IMO.
>
> -- Magnus
>
> On Thu, 18 Dec 2003, Jim Schaad wrote:
>
> > Magnus,
> >
> > This being the case, please add a textual statement that for
> > qcStatement-1, the parameters SemanticsInformation is optional.
> >
> > jim
> >
> > > -----Original Message-----
> > > From: Nystrom, Magnus [mailto:mnystrom@xxxxxxxxxxxxxxx]
> > > Sent: Thursday, December 18, 2003 12:33 AM
> > > To: jimsch@xxxxxxxxxx
> > > Cc: ietf-pkix@xxxxxxx; 'Stefan Santesson'
> > > Subject: RE: Last Call: Qualified Certificates
> > >
> > > Jim,
> > >
> > > Please find my reply below.
> > >
> > > On Wed, 17 Dec 2003, Jim Schaad wrote:
> > >
> > > > Magnus,
> > > >
> > > > Only one issue left....
> > > >
> > > > > -----Original Message-----
> > > > > From: owner-ietf-pkix@xxxxxxxxxxxx
> > > > > [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Nystrom,
> > > > > Magnus
> > > > >
> > > > > Jim,
> > > > >
> > > > > Thanks for continuing the discussion... Some replies below.
> > > > >
> > > > > On Wed, 17 Dec 2003, Jim Schaad wrote:
> > > > >
> > > > > > > -----Original Message-----
> > > > > > >
> > > > > > > Thanks for your review. I'll respond to a few of your
> > > comments
> > > > > > > here.
> > > > > > > > 10. Sectin 3.2.5.1 - I have decided to put the
> predefined
> > > > > > > > statement into my QC. After reading this document I
> > > > > > > > understand that what I want stearts as follows:
> > > > > > > >
> > > > > > > > EXTENSION { id-pe-qcStatements,
> > > > > > > > {
> id-qcs-pkixQCSyntax-v1, {ABSENT, ? }}
> > > > > > > > In this case I don't have asemanticsIdentifier
> > > created by the
> > > > > > > > document, so I must be incoluding the
> > > > > > > > NameRegistrationAuthorities otion. However I
> don't know
> > > > > > > > if what goes here is the pkix working group
> name or some
> > > > > > > > other value.
> > > > > > >
> > > > > > > I am not sure I understand your question Jim, but
> > > values for the
> > > > > > > nameRegistrationAuthorities component has nothing
> to do with
> > > > > > > PKIX. It is the OID for the authority responsible for the
> > > > > > > subject's name (or attributes of the subject's
> name) as it
> > > > > > > appears in the certificate. I thought this was clear from
> > > > > > > 3.2.5.1? Likewise for the semanticsIdentifier option
> > > - it is to
> > > > > > > be specified by/for that authority.
> > > > > >
> > > > > > LET ME QUOTE:
> > > > > >
> > > > > > -- This statement identifies conformance with syntax and
> > > > > > -- semantics defined in this Qualified
> Certificate profile
> > > > > > -- (Version 1). The SemanticsInformation may
> > > optionally contain
> > > > > > -- additional semantics information as specified.
> > > > > >
> > > > > > As I read this statement there should be an OID that
> > > > > > identifies this DOCUMENT as a name registration authority.
> > > > >
> > > > > No, that was not the intent - this document should
> not be a name
> > > > > registration authority.
> > > > >
> > > > > Note the syntax: A QCStatement is a SEQUENCE of a statementID
> > > > > component (an OID) and an optional statementInfo. For
> the object
> > > > > qcStatement-1, the statementInfo component is a value of type
> > > > > SemanticsInformation. The semantics of qcStatement-1
> is that the
> > > > > certificate has been issued in conformance with syntax
> > > and semantics
> > > > > identified in this document. In the case of
> qcStatement-1, the
> > > > > statementInfo component (which is of type
> > > SemanticsInformation) "MAY
> > > > > contain a semantics identifier and MAY identify one
> or more name
> > > > > registration authorities." ("MAY" since the components are
> > > > > optional).
> > > > >
> > > > > As stated in the document, the semanticsIdentifier
> component of
> > > > > a SemanticsInformation value contains an OID which defines
> > > semantics
> > > > > for certain attributes and names in basic certificate fields,
> > > > > and the nameRegistrationAuthorities component contains the
> > > name of one
> > > > > or more authorities responsible for the registration of
> > > attributes
> > > > > or names associated with the subject and the
> association between
> > > > > such an authority and present attributes MAY be defined by a
> > > > > semanticsIdentifier OID.
> > > > >
> > > > > > If I use the fields defined by this document and use
> > > the defined
> > > > > > OID in this document, then I need to be able to
> > > correction encode
> > > > > > this extension in my certificate without reference to
> > > an external
> > > > > > naming authority. If this is not the case then there is
> > > > > > absolutely no reason to have section 3.1 or 3.2.1,
> > > 3.2.2, 3.2.3 or
> > > > > > 3.2.4 as they are defining how these fields should be used.
> > > > > >
> > > > > > I need a way to refer to this document as either the
> > > > > > semanticsIdentifier or the nameRegistrationAuthority.
> > > > >
> > > > > As I see it, you shouldn't. The statementInfo component
> > > is optional.
> > > > > If all you want to say is that you're conformant with
> syntax and
> > > > > semantics of this document then you set the statementID to
> > > > > id-qcs-pkixQCSyntax-v1 and leave out the statementInfo
> > > component. If
> > > > > there is some well-known OID that defines semantics
> for a set of
> > > > > attributes and/or names used then include the statementInfo
> > > > > component, and set the semanticsIdentifier component. If you
> > > > > just want to name a registration authority then include the
> > > statementInfo
> > > > > component and set its nameRegistrationAuthority component. If
> > > > > you want to associate a name a registration authority with
> > > > > semantics for certain attributes then set both
> components of the
> > > > > SemanticsInformation.
> > > > >
> > > > > I have tried to capture our thinking above, but I may have
> > > > > missed something as we wrote this almost four years
> ago. Stefan,
> > > feel free
> > > > > to correct me if I got something wring.
> > > > >
> > > > > Did this help at all, Jim?
> > > >
> > > > This does and does not help. I can now understand how you
> > > think that
> > > > I should be encoding this extension. However in reviewing the
> > > > document I do not see any statements about the fact that
> > > the presence
> > > > of QCStatements being optional. This needs to be
> clarified in the
> > > > document.
> > >
> > > I think there is some confusion here. QCStatements is not
> optional.
> > > But each QCStatement has the syntax
> > >
> > > QCStatement ::= SEQUENCE {
> > > statementId QC-STATEMENT.&Id({SupportedStatements}),
> > > statementInfo QC-STATEMENT.&Type
> > > ({SupportedStatements}{@statementId}) OPTIONAL }
> > >
> > > (or in older syntax:
> > >
> > > QCStatement ::= SEQUENCE {
> > > statementId OBJECT IDENTIFIER,
> > > statementInfo ANY DEFINED BY statementId OPTIONAL}
> > > )
> > >
> > > I.e. the statementInfo component of each QCStatement value is
> > > OPTIONAL. So, if you use this extension, you can have a
> QCStatement
> > > with the statementId value set to the statement OID
> defined in the
> > > document, but you don't need to have a statementInfo component
> > > present.
> > >
> > > > The document does require that either statementInfo or
> > > statementId be
> > > > present within the QCStatement object however.
> > >
> > > (QCStatement is a type, not an object)
> > >
> > > No, it requires that either the semanticsIdentifier or the
> > > nameRegistrationAuthorities components (or both) be present in a
> > > value of type SemanticsInformation which is the syntax for the
> > > qcStatement-1 object. This should not be confused with the
> > > QCStatement type. If the statementId component of a QCStatement
> > > value has the value id-qcs-pkixQCSyntax-v1 then the statementInfo
> > > component is still optional, but if present it must have
> the syntax
> > > SemanticsInformation for which it holds that at least one of its
> > > components must be present.
> > >
> > > > Thus if QCStatements is not OPTIONAL (my reading of your above
> > > > statement) then a statement as to how to encode as using the
> > > > "conformance and semantics defined in this document" needs
> > > to be made.
> > >
> > > QCStatements is not OPTIONAL, but you don't need to populate
> > > individual QCStatement's statementInfo components, as described
> > > above.
> > >
> > > -- Magnus
> > >
> >
>