[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On cross-certificates and pathLenConstraint

To: kent@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx
Subject: RE: On cross-certificates and pathLenConstraint
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 17 Sep 2004 22:23:02 +1200
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Stephen Kent <kent@xxxxxxx> writes:

>As I noted earlier in my messages, I think it would be appropriate to include
>these extensions in path validation. In fact, I raised this issue over a year
>ago in discussions with Sharon and Sanrtosh. But, X.509 does not allow this at
>this time.

If there's consensus that this is a good idea, why not just change it?  PKIX
is bigger than X.509 (does anyone still work from X.509 rather than going
straight to the PKIX sources)?  I know that PKIX was originally started to
profile X.509 for Internet use, but it's been running (or at least shuffling)
as a full parallel standards group for years since then.  PKIX is the dog,
X.509 is its vestigial tail, why not wag it?

(I'm not trying to pick a fight with the X.509 folks, it's just a pain having
 two (more if you include ETSI and other groups) parallel standards bodies all
 busy cutting&pasting each other's work as they play Chinese Whispers with the
 spec, with sundry propagation delays, inconsistencies, and errors introduced
 along the way).

Peter.

Follow-Ups:
- RE: On cross-certificates and pathLenConstraint
  - From: Stephen Kent

References:
- RE: On cross-certificates and pathLenConstraint
  - From: Stephen Kent

Prev by Date: RE: CA Rekey and CRL Validation
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RE: On cross-certificates and pathLenConstraint
Next by thread: RE: On cross-certificates and pathLenConstraint
Index(es):
- Date
- Thread