[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Latest draft (#6) of part 1

To: PKIX <ietf-pkix@xxxxxxxxxx>
Subject: Latest draft (#6) of part 1
From: Marc Branchaud <marcnarc@xxxxxxxxx>
Date: Thu, 16 Oct 1997 12:27:09 -0700 (PDT)
In-reply-to: <>
Reply-to: Marc Branchaud <marcnarc@xxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----


I have two issues with the latest draft of part 1.  The first I stated
just before this last draft came out, so I'm re-stating it since it still
applies.  The other is just a nit.


(1) In 4.2.1.12 (Policy Constraints), one page 31, the ASN.1 for this
extension includes these lines:

	CertificatePoliciesSyntax ::=
		SEQUENCE SIZE (1..MAX) OF PolicyInformation

The ASN.1 in the appendices, however, doesn't have any such thing.  Is
this extension supposed to include a bunch of PolicyInformation
structures?  (BTW, the ASN.1 in appendix B has a space in
"PolicyConstraints Syntax" near the top of page 85, which I don't think
should be there.)

In reading through the draft, I was wondering _which_ policies this
extension's requireExplicitPolicy field would refer to.  The draft says:

	An acceptable policy identifier is the identifier of a
	policy required by the user of the certification path or the
	identifier of a policy which has been declared equivalent through
	policy mapping.

This seems to indicate that the extension itself should not have anything
that identifies a policy.  I wonder, though, if that's wise.  Wouldn't it
make sense for the issuer to use the certificate to state which policies
are acceptable?  If so, a list of policy OIDs should be adequate rather
than a list of PolicyInformation structures.


(2) Shouldn't the Certificate Issuer CRL entry extension be in section 5.3
(CRL entry extensions) instead of 5.2 (CRL extensions)?


		Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                       \/
 Chief PKI Architect                                  /\CERT SOFTWARE INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6210x227      www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNEZqklrdFXNdDxPlAQFo4wMAoVQLmq1OKcODClsfLqCiH7szUWsJB993
t92GxBN7DCxbHG7unWpcnRPxF72UIWOl1ZF5KhgiX2ZMmeJM3BKECcVM6OFesJ+w
4FjRbtJoR8rZphZMn/7WSexr1/4K5sKY
=1J/8
-----END PGP SIGNATURE-----

References:
- I-D ACTION:draft-ietf-pkix-ipki-part1-06.txt
  - From: Internet-Drafts

Prev by Date: Re: Component to use to build a certificate chain?
Next by Date: Re: CrlDistributionPoint extension
Previous by thread: I-D ACTION:draft-ietf-pkix-ipki-part1-06.txt
Next by thread: I-D ACTION:draft-ietf-pkix-ipki3cmp-05.txt
Index(es):
- Date
- Thread