[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mea Culpa and NEW SCVP 16 comments deadline

To: Tim Polk <tim.polk@xxxxxxxx>
Subject: Re: Mea Culpa and NEW SCVP 16 comments deadline
From: Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx>
Date: Sun, 12 Dec 2004 18:02:07 +0100
Cc: ietf-pkix@xxxxxxx
In-reply-to: Your message of Thu, 09 Dec 2004 11:43:30 EST. <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Some comments:
 - the requestorRef definition doesn't match its description in 3.2.
   IMHO we should keep the description, i.e., the requestorRef should be
   an octet string which is a local reference to the client. More, I'd like
   the rationale of 4.7 be reflected in 3.2...
 - please change wantBack (item name) and WantBack (type) into wantBacks
   and WantBacks (like [cC]ecks and [rR]eplyWantBacks: homogeneous use
   of the plural!)
 - I'd like to use other cert references than ESSCertIDs, IKE has and URL
   for instance. Please add an OID+Value choice in PKCReference/ACReference?
 - checks OIDs (id-stc-build-*) are different between 3.1.2 and the annex.
   IMHO the text which defines 7 cases is right.
 - 3.1.5.1 needs to be merged into 3.1.4.1. My understanding is there are
   a default validation policy and a basic validation algorithm.
 - spelling of basic valAlg errors (id-bvae-*) should be uniformized
 - same for name valAlg errors between definitions and descriptions
 - id-nvae-unknown-pupose -> id-nvae-unknown-purpose
 - there is nothing about the case where the extended key usage extension
   is absent. IMHO this is like key usage, i.e., the certificate MUST be
   considered goof for all extended usages...
 - responseFlags items *need* tags!
 - 4 uses id-ct-scvp-psResponse in place of id-ct-scvp-certValResponse (typo)
 - what are the differences between responseStatus 50 and 61, or 51 and 62?
 - in ValidationPolValues isCA and trustAnchors should be optional as they
   have no default values.
 - validationPolicyAttr is spuriously described again in 4.5.6
 - in 4.10 change valdationPolicy into validationErrors (typo) which is
   OPTIONAL (i.e., in the MAYs)
 - replyWantBacks for id-swb 10, 11 and 13 are missing
 - delete 4.10.6 validationAlg (moved to ValidationPolValues)
 - just a question "en passant": what OID to used in validationErrors for
   a failed "isCA" check? id-bvae-invalidEntity? id-bvae-invalidPurpose?
 - please change valPolRequest into VPRequest for the name of the type
 - same for valPolResponse and VPResponse
 - same in 6.4 for PolResponse
 - same in 6.6 for polResponse
 - delete 6.7 trustAnchors
 - IMHO dhPublicKeyInfo should be optional in VPResponse because DH is
   not the only protection way.
 - 6.14 VaidationPolValues (typo)
 - in ASN.1 annex:
    * nameValidationAlg -> NameValidationAlgParms
    * ValidationPolValues differs
    * some missing id-stc-build-*
    * id-svp-defaultValAlg -> id-svp-defaultValPolicy
    * missing id-svp-dnValAlg, incorrect id-nvae definition
 - in HTTP B.1 appendix:
   application/cv-policy-request -> application/cv-request
   (IMHO the Sample should be removed as the length header is missing too)

Regards

Francis.Dupont@xxxxxxxxxxxxxxxx

PS: I have an implementation of draft 16 in OpenSSL 0.9.7d with a responder
and some test clients including racoon (IKE) and EAP-TLS. Of course as
only the beta version of OpenSSL really supports policies it is a very
partial implementation, BTW not worse than what already exists for
my applications (:-).

References:
- Mea Culpa and NEW SCVP 16 comments deadline
  - From: Tim Polk

Prev by Date: Re: Proposed Changes to RFC 3280
Next by Date: Re: SCVP 16 comments deadline
Previous by thread: Mea Culpa and NEW SCVP 16 comments deadline
Next by thread: RE: SCVP 16 comments deadline
Index(es):
- Date
- Thread