Re: Comments on [MANDATORY cert discovery capabiity]

[Peter Williams <peter@xxxxxxxxxxxx>]

Carlisle Adams wrote:

>  But, to answer your question, the CA must respond with an error message
> (a response that should be expected by any EE that goes outside the
> mandatory spec.).  This does not hamper the EE's abilities or future
> actions in any way, because it can always send another request with an
> empty SET (to get whatever the CA does know), or get the required
> information in any other fashion (recall that PKIMessages do not need to
> be used for this information exchange), or decide that it really didn't
> need this particular information after all and simply send an InitReq
> message.

Should we mandate that an EE be required to send a PKIInformation "with
an empty set of requirements" msg if it gets an error msg to its previous
attempt
to synchronise PKI information before entering the initialization or
certification states wheree real work gets done?

Im imagining in a Microsoft implementation of this PKIInformation exchange
in which  the activeX enrollment control, which implements the
more elaborate B.x profiles using RSA, would be supplied to the EE in response
to
PKInformation object {ms 1}. Where the CA is not a activeX
CA (i.e. it sends an error msg), then that same browser needs to fall
back to non-activeX mechanisms by syncing on initialization information they
can agree on (i.e. that which the CA optionally provides) and using a
barebones PKIX-3 minimal, default implementation with DSA cipherSuites, say.

(Take this example figuratively, only.)



Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Peter Williams
Content-Disposition: attachment; filename="vcard.vcf"

Attachment converted: Lutefisk:vcard.vcf 13 (TEXT/R*ch) (0001C10E)