[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Dave's Critical Proposal

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Dave's Critical Proposal
From: John Pawling <jsp@xxxxxxxxxxxxx>
Date: Wed, 31 Dec 1997 11:52:37 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Dave,

X.509, Sec 12.4.3, certificate check, bullet 6 states:
"d) If the certificate policies extension is present and is flagged
critical, compute the intersection of the policies in that extension and the
authority-constrained-policy-set and put the result as the new value of
authority-constrained-policy-set. Check that the intersection of
authority-constrained-policy-set and user-constrained-policy-set is non-empty."

You proposed adding the following statement to PKIX I:
>  "If an implementation recognizes the syntax of a particular extension,
>   the value of the critical boolean in that extension SHALL be ignored."

If certificate-processing software followed your proposed rule, then it
wouldn't be allowed to use the value of the certificate policies extension
critical flag as part of the certification path validation process specified
in X.509, Sec 12.4.3.  Therefore, your statement is contradictory to X.509
and should not be added to PKIX I.

================================
John Pawling
jsp@jgvandyke.com
J.G. Van Dyke & Associates, Inc.
================================

Prev by Date: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
Next by Date: Re: [IETF-PKIX] Definition of terms
Previous by thread: Re: [IETF-PKIX] Dave's Critical Proposal
Next by thread: Re: [IETF-PKIX] Dave's Critical Proposal
Index(es):
- Date
- Thread