[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SET Root CA Extension

To: "ietf-pkix@xxxxxxxxxx" <ietf-pkix@xxxxxxxxxx>
Subject: RE: SET Root CA Extension
From: Ebbe Hansen <ehansen@xxxxxxxxxx>
Date: Mon, 7 Jul 1997 16:51:44 -0700

Russ,

The United States Postal Service has plans for using same private extension.

Regards Ebbe Hansen @ Cylink Corp.

----------
From: 	Housley, Russ[SMTP:housley@spyrus.com]
Sent: 	Monday, July 07, 1997 7:20 AM
To: 	ietf-pkix@tandem.com
Subject: 	SET Root CA Extension

All:

In the SET environment, the Root CA has a private extension that carries 
the hash of the next public key to be used by the CA.  This extension 
allows a single key (the current one) to be distributed by a trusted means, 
then, as long as there are no compromises at the Root CA, subsequent CA 
certificates can be trusted without trusted distribution of the public key.

The syntax used by SET is:
1587 -- Set protocol private extensions -- 
1588
1589 hashedRootKey EXTENSION ::= { -- Only in root certificates 
1590 SYNTAX HashedRootKeySyntax
1591 CRITICAL TRUE
1592 IDENTIFIED BY id-set-hashedRootKey 1593 }
1594
1595 HashedRootKeySyntax ::= RootKeyThumb 1596
1597 RootKeyThumb ::= SEQUENCE {
1599 rootKeyThumbprint DD { SubjectPublicKeyInfo{{SupportedAlgorithms}} } 
1600 }

Are any other communities planning to use this mechanism?

If many communities want to use this mechanism, then we should add it to 
PKIX Part 1 to make sure that certificate users are prepared for this 
CRITICAL extension.  If only the SET community is interested in this 
extension, then we should not add it to PKIX Part 1.

Russ

Follow-Ups:
- RE: SET Root CA Extension
  - From: Luis Valente

Prev by Date: SET Root CA Extension
Next by Date: RSA mandatory for PKIX CMP?!
Previous by thread: SET Root CA Extension
Next by thread: RE: SET Root CA Extension
Index(es):
- Date
- Thread