[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CertPolicySet definition (was Re: NEW Data type for certificate selection ? )

To: ietf-pkix@xxxxxxx
Subject: CertPolicySet definition (was Re: NEW Data type for certificate selection ? )
From: David Boyce <D.Boyce@xxxxxxxxx>
Date: Tue, 13 Oct 1998 13:09:54 +0100
In-reply-to: Your message of "Mon, 12 Oct 1998 23:40:34 +0200." <>
Sender: owner-ietf-pkix@xxxxxxx

I have a couple of questions regarding the X.509 definition of
CertPolicySet which Stefan quoted.

Stefan Santesson writes:
>The certificateMatch has the following structure (X.509 section 
12.7.2):
>
>certificateMatch MATCHING-RULE ::= {
>   SYNTAX           CertificateAssertion
>   ID               id-mr-certificateMatch }
>
>CertificateAssertion ::= SEQUENCE {
    ...
>   policy                  [9] CertPolicySet           OPTIONAL,
    ...

>CertPolicySet ::= SEQUENCE (1..MAX) OF CertPolicyId

Can anyone shed light on why this is called a CertPolicy*Set* when it's
defined as a SEQUENCE OF ?

The only thing I can think of is that the nature of the data is 'SET
OF', with the name reflecting that nature, but that 'SEQUENCE OF' has
been used in the definition of the type in order to avoid introducing
DER-encoding hassles.

>     j)  policy matches if all of the policy elements identified 
>         in one of the presented values are contained in the set of 
>         policyElementIds in any of the policyInformation values in 
>         the certificate policies extension in the stored attribute 
>         value;  there is no match if there is no certificate policies 
>         extension in the stored attribute value;

Is there mismatch between this description and the defined syntax for
CertPolicySet here?  The presence of the phrase 'in one of the presented
values' seems to indicate a different syntax to the one defined.

It looks to me as if the author had in mind a definition of
CertPolicySet along the lines of

    CertPolicySet ::= SET (1..MAX) OF CertPolicyPresentedValues

    CertPolicyPresentedValues ::= SET (1..MAX) OF CertPolicyId

(SET OF being regarded as equivalent to SEQUENCE OF for the purposes of 
this discussion).

If not, then surely CertPolicySet would comprise the entire 'presented 
value', making the phrase 'identified in one of the presented values' 
misleading.

Or am I just reading something into the description which isn't there?

David.
-- 
David Boyce

Tel:	+44 181 332 9091		Richmond, Surrey, ENGLAND
Email:	d.boyce@isode.com	Isode's WWW: http://www.isode.com/

References:
- RE: NEW Data type for certificate selection ?
  - From: Stefan Santesson

Prev by Date: Re: NEW Data type for certificate selection ?
Next by Date: RE: NEW Data type for certificate selection ?
Previous by thread: Re: NEW Data type for certificate selection ?
Next by thread: RE: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread