[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ldapv2-schema and CA Certificates

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: Re: ldapv2-schema and CA Certificates
From: Andreas Berger <aberger@xxxxxxxxxxxxxxxx>
Date: Mon, 17 Aug 1998 17:04:05 +0200
Cc: ietf-pkix@xxxxxxx
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Santosh Chokhani wrote:
> 
> Sharon:
> 
> I have studied the path development a lot.  I am not claiming that I am
> correct.  But, here are some of the conclusions I have come to:
> 
> 1.      Path development is efficient when done backward from the
> direction of trust, i.e.,  from subject end entity to relying party
> trust anchor(s).
And the end entity certificate is probably all you have, e.g. take an
S/MIME Message with the end entity certificate attached or identified by
issuer and serial.

> 2.      Path processing has to be done in the forward direction of
> trust, i.e., from the relying party trust anchor(s) to subject.
What do you do if you have several trust anchors, i.e. a set of
keys/certificates you decided to trust. The selection of anchors may
even be restricted depending on the nature of the document.

But all that leads me to the question whether the current description of
path validation is sufficient. Do we need an advice (best practice) how
applications should find certificates and how they build paths? All I
know of is a description of how to verify that a path is correct, not
how to (efficiently) find probable paths to put into the verification.
And avoid loops and unpromising paths.

Andreas
-- 
Fifty-three percent of Fortune 1000 executives think the
Arch Deluxe is something that helps to run a computer.
-- Jericho Communications

References:
- RE: ldapv2-schema and CA Certificates
  - From: Santosh Chokhani

Prev by Date: RE: ldapv2-schema and CA Certificates
Next by Date: comments on CMMF
Previous by thread: RE: ldapv2-schema and CA Certificates
Next by thread: RE: ldapv2-schema and CA Certificates
Index(es):
- Date
- Thread