FW: Minor confusion in PKIX part 1, section 7.3.3

["Grall, Cynthia" <Cynthia_Grall@xxxxxxx>]

> The following paragraph seems to have two conflicting sentences:
> 
> 7.3.3  DSA Signature Keys
> 
> ...
> 
>    If the DSA algorithm parameters are absent from the subjectPublicKey-
>    Info AlgorithmIdentifier and the CA signed the subject certificate
>    using DSA, then the certificate issuer's DSA parameters apply to the
>    subject's DSA key.  If the DSA algorithm parameters are absent from
>    the subjectPublicKeyInfo AlgorithmIdentifier and the CA signed the
>    subject certificate using a signature algorithm other than DSA, then
>    the subject's DSA parameters are distributed by other means.  If the
>    subjectPublicKeyInfo AlgorithmIdentifier field omits the parameters
>    component and the CA signed the subject with a signature algorithm
>    other than DSA, then clients shall reject the certificate.
> 
> I understand the second sentence to mean if the CA cert. has a (for
> example) RSA key, and the EE cert. has a DSA key with no parameters,
> then the EE cert. is okay and I have to find the parameters somewhere
> else.  
> 
> The third sentence says if the CA cert. has (for example) a RSA key,
> and the EE cert. has a DSA key with no parameters, then I should reject
> the EE cert.
> 
> Is there something I'm missing here?  If these do conflict, which is the
> correct statement?
> 
> Cindy
> ----------
> Cindy Grall                       cgrall@nai.com
> Network Associates, Inc.          phone: (310) 737-1629
> 3415 S. Sepulvida Blvd.           fax:   (310) 737-1755
> Los Angeles, California 90034