[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SCVP No error code found

To: <ietf-pkix@xxxxxxx>, "Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxxx>
Subject: SCVP No error code found
From: "Faisal Maqsood" <faisal.maqsood@xxxxxxxxxxxx>
Date: Wed, 15 Sep 2004 12:01:23 +0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Ascertia Ltd
Sender: owner-ietf-pkix@xxxxxxxxxxxx

ÿş<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML xmlns:st1 = "urn:schemas-microsoft-com:office:smarttags" xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD><BASE href="file://F:\_BackUp-FM\Email Signature\"> <META http-equiv=Content-Type content="text/html; charset=unicode"> <META content="MSHTML 5.50.4134.600" name=GENERATOR></HEAD> <BODY bgColor=#ffffff> <DIV>Hi Trevor,</DIV> <DIV> </DIV> <DIV><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">By reading the SCVP draft 15, I understand that if requestor puts some KeyUsage bits in query (section 3.2.17), then server have to check whether specified KeyUsage bit(s) are present in each queried certificate. If server found that queried certificate does not contain required KeyUsage bit(s) server will not process the request.</SPAN></FONT></DIV> <DIV><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT> </DIV> <DIV><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">Above case arises two questions:<o:p></o:p></SPAN></FONT></DIV> <OL type=1> <LI class=MsoNormal style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">What error code will be returned so that requestor can understand the failure reason?</SPAN></FONT> <LI class=MsoNormal style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">If there are two certificates in query and KeyUsage required is digitalsignature in each queried certificate but in validation server found that one certificate has digitalsignature while other not. In this case server should not return error code for scvpresponse but should return error code for queried certificate, so by this case replyObject structure should have corresponding error code.<BR>There may be one of two reasons that queried certificate has not required bit(s):<BR>- queried certificate is version 1<BR>- queried certificate is version 3 but has not required bit(s)<BR>* I assume that in case of version 1 certificate, we will continue processing while for version 3 we will generate some error.</SPAN></FONT></LI></OL><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt"> <DIV class=MsoNormal style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"></SPAN></FONT><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">Same case as discussed above can occur for ExtendedKeyUsage OID(s)....<o:p></o:p></SPAN></FONT></DIV> <DIV> <P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt"><o:p></o:p></SPAN></FONT></P></DIV> <DIV> <P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">Do you have any idea or I am missing some thing from protocol ?<o:p></o:p></SPAN></FONT></P></DIV> <DIV> <P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt"></SPAN></FONT><FONT face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">Regards,<BR>Faisal</SPAN></FONT></P></DIV></BODY></HTML>

Prev by Date: Re: SCVP Validation OID
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RFC 3874 on A 224-bit One-way Hash Function: SHA-224
Next by thread: RE: SCVP No error code found
Index(es):
- Date
- Thread