[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKIX Path determination/construction/processing and AKI pointer hanging

To: <ietf-pkix@xxxxxxx>
Subject: PKIX Path determination/construction/processing and AKI pointer hanging
From: "Peter Williams" <peterw@xxxxxxxxxxxx>
Date: Mon, 1 Mar 1999 11:23:37 -0600
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Preamble

Consider the following quotation from our RFC, and envisage
the demo path situation in which one has an signed email quoting
a user certificate from a VeriSign Class 3 organizational CA.
Futhermore, envision that the various user and authority
certificates in the VeriSign hierarchy link backwards
to identify their parent certificates or self-signed public-
key registered by the VeriSign Root registration authority.

" (a) Certification paths may start with a public key of a CA in a
      user's own domain, or with the public key of the top of a
      hierarchy.  Starting with the public key of a CA in a user's own
      domain has certain advantages.  In some environments, the local
      domain is the most trusted. "[RFC2459]

Following the option of 2459, the certification path selected by a
validating
user may commence with the users own private CA; which, issues
a private-usage interdomain certificate for ANY of the various VeriSign
authority certificates. Let us say it issues the interdomain
certificate for the lowest VeriSign operated CA (the one
that manages the enterprise-operated CAs in the VeriSign domain).

Issue:

When our relying party performs conforming path processing,
authority identifiers,  which are marked critical for the user and say the
enterprise authority certs, the  authority key id pointer in the enterprise
cert will be left "hanging".

That is, the parties path validation software would presumably
not enforce presence or knowlege or well-identifiedness
of other VerISign authority certificates. Instead it would
apply processing based on its local trust delegation
mechanisms. Said software, will ensure that the interdomain certificate
issued by the relying parties CA to to thge enterpise CA's public
key validly introduces the user certificate to the local environment.

Apparent Rule:

PKIX-QC might restrict valid path processing to the chain implied
by authority pointers, so that fixed and CA-managed policy
controls are enforced.

In general PKIX, and with any non-legalistic policies, relying party
domain rules governing path processing/validation are free to leave chain
pointers hanging, providing that they have local-CA mechanisms
such as that suggested in 2459 to discover/determine/proces
the locally-required trust path.

Question:

Any major disagreement with what seems to be PKIX-conforming process,
and suggestions for the PKIX-QC document?

Peter.


NB: The same issues goes for CRL(DP) and OCSP certification paths.

.

Prev by Date: Re: OCSP Service Locator and RFC2459's Authority Information Access
Next by Date: RE: Qualified Certificates draft - Country name
Previous by thread: OCSP Service Locator and RFC2459's Authority Information Access
Next by thread: Call For Papers: CQRE [Secure]
Index(es):
- Date
- Thread