[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PKIX-2 http

To: "Blake Ramsdell" <BlakeR@xxxxxxxxxx>
Subject: RE: PKIX-2 http
From: Russ Housley <housley@xxxxxxxxxx>
Date: Tue, 07 Oct 1997 10:03:20 -0400
Cc: "'peter@xxxxxxxxxxxx'" <peter@xxxxxxxxxxxx>, "'gangolli@xxxxxxxxxxxxxxxxxx'" <gangolli@xxxxxxxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxxxxx'" <ietf-pkix@xxxxxxxxxx>
In-reply-to: <>

Blake:

>> I propose that we define two types:
>> 
>> 	application/pkix-cert
>> 	application/pkix-crl
>
>These will have file extensions also, right?

Yes.  The draft specifiies ".cer" and ".crl".


>> I suggest the use of "pkix" insepad of "x509" so that an application can be
>> assured that the PKIX Certificate and CRL Profile is followed.  I suspect
>> that many programmers will implement to the PKIX profile, not the full
>> generality of X.509.  If I am wrong, we wasted a lot of time developing a
>> profile that will be ignored.
>
>I agree with this.
>
>> Anil, I do not see a reson to distinguish between user and CA certificates
>> in the MIME type.  In your message, you proposed separate MIME types.
>> Don't you think that the same software application will process the
>> certificate?  If so. then the signed information inside the certificate
>> should be used to determine if it is a CA certificate or a user
certificate.
>
>I think that from an implementor's point of view, having different MIME
>types might make processing easier, but checking the basicConstraints
>has to be the final word on the matter, or it seems that there would be
>a potential security problem.

Please explain how user cert and CA cert types would help an implementor.

Russ

References:
- RE: PKIX-2 http
  - From: Blake Ramsdell

Prev by Date: Re: Comments on [MANDATORY cert discovery capabiity]
Next by Date: Re: Last Call (CMP proof-of-possession)
Previous by thread: RE: PKIX-2 http
Next by thread: AuthorityInfoAccess
Index(es):
- Date
- Thread