[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Minor confusion in PKIX part 1, section 7.3.3

To: "'Grall, Cynthia'" <Cynthia_Grall@xxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: Minor confusion in PKIX part 1, section 7.3.3
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Fri, 27 Nov 1998 16:40:43 -0500
Sender: owner-ietf-pkix@xxxxxxx

Cindy:

You are correct that the two sentences are contradictory.  The safer
thing to do is to reject the certificate since with the X.509
authentication framework and certificate path there is no guarantee as
to what the parameters are.  Thus, the first sentence should be deleted
from PKIX Part 1.

May be the editors of PKIX Part 1 can shed some light on it also.

> -----Original Message-----
> From:	Grall, Cynthia [SMTP:Cynthia_Grall@NAI.com]
> Sent:	Tuesday, November 24, 1998 11:43 AM
> To:	'ietf-pkix@imc.org'
> Subject:	FW: Minor confusion in PKIX part 1, section 7.3.3
> 
> 
> > The following paragraph seems to have two conflicting sentences:
> > 
> > 7.3.3  DSA Signature Keys
> > 
> > ...
> > 
> >    If the DSA algorithm parameters are absent from the
> subjectPublicKey-
> >    Info AlgorithmIdentifier and the CA signed the subject
> certificate
> >    using DSA, then the certificate issuer's DSA parameters apply to
> the
> >    subject's DSA key.  If the DSA algorithm parameters are absent
> from
> >    the subjectPublicKeyInfo AlgorithmIdentifier and the CA signed
> the
> >    subject certificate using a signature algorithm other than DSA,
> then
> >    the subject's DSA parameters are distributed by other means.  If
> the
> >    subjectPublicKeyInfo AlgorithmIdentifier field omits the
> parameters
> >    component and the CA signed the subject with a signature
> algorithm
> >    other than DSA, then clients shall reject the certificate.
> > 
> > I understand the second sentence to mean if the CA cert. has a (for
> > example) RSA key, and the EE cert. has a DSA key with no parameters,
> > then the EE cert. is okay and I have to find the parameters
> somewhere
> > else.  
> > 
> > The third sentence says if the CA cert. has (for example) a RSA key,
> > and the EE cert. has a DSA key with no parameters, then I should
> reject
> > the EE cert.
> > 
> > Is there something I'm missing here?  If these do conflict, which is
> the
> > correct statement?
> > 
> > Cindy
> > ----------
> > Cindy Grall                       cgrall@nai.com
> > Network Associates, Inc.          phone: (310) 737-1629
> > 3415 S. Sepulvida Blvd.           fax:   (310) 737-1755
> > Los Angeles, California 90034

Follow-Ups:
- RE: Minor confusion in PKIX part 1, section 7.3.3
  - From: Russ Housley

Prev by Date: RE: generation of private keys
Next by Date: RE: generation of private keys
Previous by thread: FW: Minor confusion in PKIX part 1, section 7.3.3
Next by thread: RE: Minor confusion in PKIX part 1, section 7.3.3
Index(es):
- Date
- Thread