[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SCVP 16 comments deadline
Hi Peter
* -----Original Message-----
* From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
* On Behalf Of Peter Sylvester
* Sent: Tuesday, December 07, 2004 4:15 AM
* To: Trevor Freeman
* Cc: ietf-pkix@xxxxxxx
* Subject: Re: SCVP 16 comments deadline
*
*
* We have
*
* Query ::= SEQUENCE {
* queriedCerts SEQUENCE SIZE (1..MAX) OF CertReference,
*
* ...
* validationPolicy ValidationPolicy,
*
* with
* ValidationPolicy ::= SEQUENCE {
* ...
* validationAlg [0] ValidationAlg OPTIONAL,
*
*
* 3.1.5 validationAlg
*
* The validationAlg item, defines the validation algorithm to be used
* by the SCVP server during certificate validation. The value of
* this item can be determined by agreement between the client and the
* server, and is represented as an object identifier. The server
* might want to assign additional object identifiers that indicate
* that some settings are used in addition to others given in the
* request. In this way, the validation algorithm object identifier
* can be a shorthand for some SCVP options, but not others.
*
* The validationAlg item uses the ValidationAlg type, which has the
* following syntax:
*
* ValidationAlg ::= SEQUENCE {
* valAlgId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valAlgId OPTIONAL }
*
*
* and also
*
*
* 3.1.5.2 validationAlg
*
* The optional validationAlg item defines the validation algorithm to
* be used by the SCVP server during certificate validation. The
* value of this item can be determined by agreement between the
* client and the server, and the validation algorithm is represented
* by an object identifier.
*
* The syntax of the validationAlg is:
*
* ValidationAlg ::= SEQUENCE {
* valAlgId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valAlgId OPTIONAL }
*
* The following section specifies the basic validation algorithm and
* the name validation algorithm. SCVP clients and servers MUST
* support both validation algorithms defined in this section. Other
* validation algorithms can be specified in other documents for use
* with specific applications. SCVP clients and servers MAY support
* any such validation algorithms.
*
* ---------------
*
* 3.1.5.2.3 Name Validation Algorithm
*
* The name validation algorithm allows the client to supply an
* application identifier and a name to the server. The application
* identifier defines the name matching rules to use in comparing the
* name supplied in the request with the names in the certificate.
*
* There may be more than one certificate in the request.
*
*
* NameValidationAlgParms ::= SEQUENCE {
* keyPurposeId KeyPurposeId,
* validationNames GeneralNames }
*
* What is the relation between the KeyPurposeId and the
extendeddkeyusage
* 3.1.5.10 extendedKeyUsages
*
* If the keyPurposeID supplied in the request is id-kp-mailProtection
* [PKIX-1], then GeneralNames supplied in the request MUST be a
* rfc822Name, and the matching rules are defined in [SMIME-CERT].
*
* 'an rfc822Name".
*
* what is the meaning of this if I have more than one email certificate,
* i.e. I want to validate all encryption certs before using them.
*
*
* Does this means that the validate Algorithm is cert specific and not
* request specific?
[TF] The request specifies a policy, which in tern references an
algorithm. The policy applies globally to the request. There is no
relationship between the certificate and the algorithm.
Trevor
Trevor