[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP 16 comments deadline

To: Peter.Sylvester@xxxxxxxxxx, trevorf@xxxxxxxxxxxxxxxxxxxxxx
Subject: RE: SCVP 16 comments deadline
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Thu, 9 Dec 2004 12:48:49 +0100 (MET)
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> * -----Original Message-----
> * From: Peter Sylvester [mailto:Peter.Sylvester@xxxxxxxxxx]
> * Sent: Tuesday, December 07, 2004 4:15 AM
> * To: Trevor Freeman
> * Cc: ietf-pkix@xxxxxxx
> * Subject: Re: SCVP 16 comments deadline
> * 
> * We have
> * 
> *   Query ::= SEQUENCE {
> *    queriedCerts               SEQUENCE SIZE (1..MAX) OF CertReference,
> * 
> *    ...
> *    validationPolicy           ValidationPolicy,
> * 
> * with
> *   ValidationPolicy ::= SEQUENCE {
> *     ...
> *     validationAlg         [0] ValidationAlg OPTIONAL,
> * 
> * 
> * 3.1.5 validationAlg
> [TF] The duplicate Validation alg section has been removed.

good. But which one? 

> * ---------------
> * 
> * 3.1.5.2.3 Name Validation Algorithm
> * 
> *   The name validation algorithm allows the client to supply an
> *   application identifier and a name to the server.  The application
> *   identifier defines the name matching rules to use in comparing the
> *   name supplied in the request with the names in the certificate.
> * 
> * There may be more than one certificate in the request.
> [TF] The policy is global to the request.
> * 
> * 
> *     NameValidationAlgParms ::= SEQUENCE {
> *       keyPurposeId      KeyPurposeId,
> *       validationNames   GeneralNames }
> * 
> * What is the relation between the KeyPurposeId and the
> extendeddkeyusage
> * 3.1.5.10 extendedKeyUsages
> [TF] The OID with name validation defines the matching rules. In theory
> there could be multiple matching rules for an 822 name.
no comment. 

> * 
> *   If the keyPurposeID supplied in the request is id-kp-mailProtection
> *   [PKIX-1], then GeneralNames supplied in the request MUST be a
> *   rfc822Name, and the matching rules are defined in [SMIME-CERT].
> * 
> * 'an rfc822Name".
> * 
> * what is the meaning of this if I have more than one email certificate,
> * i.e. I want to validate all encryption certs before using them.
> [TF] If they are different names they have to be different requests.
> * Does this means that the validate Algorithm is cert specific and not
> * request specific?
> [TF] The validation policy for the request is global to the request.
> 

It is quite normal that the parameters assocaited to the single algorithm
may not be different for each cert, in particular for email.

It seems possible to allow a list of emails and require that for each
email, there must be at least one certificate in the certificate list.

Or you move the parameters to some information associated to the certificate,
or one says that the sequence of names must correspond to the sequence
of certs, ...

Prev by Date: RE: SCVP 16 comments deadline
Next by Date: RE: SCVP 16 comments deadline
Previous by thread: RE: SCVP 16 comments deadline
Next by thread: RE: SCVP 16 comments deadline
Index(es):
- Date
- Thread