[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP Service Locator and RFC2459's Authority Information Access

To: "'Bob Jueneman'" <BJUENEMAN@xxxxxxxxxx>, ietf-pkix@xxxxxxx, Michael Myers <MMyers@xxxxxxxxxxxx>
Subject: RE: OCSP Service Locator and RFC2459's Authority Information Access
From: Michael Myers <MMyers@xxxxxxxxxxxx>
Date: Thu, 4 Mar 1999 07:57:59 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Bob,

AIA is multiply-valued, so you can put in other info:

AuthorityInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

AccessDescription  ::=  SEQUENCE {
        accessMethod          OBJECT IDENTIFIER,
        accessLocation        GeneralName  }

The OCSP OID would simply identify the URI used for that particular method.

Mike

> -----Original Message-----
> From: Bob Jueneman [mailto:BJUENEMAN@novell.com]
> Sent: Wednesday, March 03, 1999 5:43 PM
> To: ietf-pkix@imc.org; MMyers@verisign.com
> Subject: RE: OCSP Service Locator and RFC2459's Authority Information
> Access
> 
> 
> Michael, is the AIA in that case presumed to apply uniquely 
> to the OCSP provider -- i.e., has OCSP highjacked that field?
> 
> Or can other uses be provided as well, using multiple URIs or 
> whatever?
> 
> Bob
> 
> >>> Michael Myers <MMyers@verisign.com> 03/03/99 05:00PM >>>
> 
> > -----Original Message-----
> > From: salzr@certco.com [mailto:salzr@certco.com] 
> > 
> > This brings up a new question: why is there no OCSP AIA 
> > AccessDescription
> > defined?  :) All we need is an OID and a URIName of type 
> > IA5STRING.  Is it
> > too late to add this to the current draft?  Does it belong 
> > here, or does it
> > more like a cert profile item?  Because of its "dual 
> nature" should it
> > perhaps
> > be written up separately, anyway? (Probably not, since the 
> > OID base will end
> > up
> 
> 
> Rick,
> 
> It's already in there:
> 
> "4.1  Certificate Content
> 
>    In order to convey to OCSP clients a well-known point of 
> information
>    access, CAs SHALL provide the capability to include the
>    AuthorityInfoAccess extension (defined in [PKIX1], section 4.2.2.1)
>    in certificates that can be checked using OCSP.  Alternatively, the
>    accessLocation for the OCSP provider may be configured 
> locally at the
>    OCSP client.
> 
>    CAs that support an OCSP service, either hosted locally or provided
>    by an Authorized Responder, MAY provide a value for a
>    uniformResourceIndicator (URI) accessLocation and the OID value id-
>    ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.
> 
>    The value of the accessLocation field in the subject certificate
>    defines the transport (e.g. HTTP) used to access the OCSP responder
>    and may contain other transport dependent information 
> (e.g. a URL)."
> 
> 
> Mike
>

Prev by Date: Re: Qualified Certificates draft - Country name
Next by Date: RE: Cert binding to ?
Previous by thread: RE: OCSP Service Locator and RFC2459's Authority Information Acce ss
Next by thread: RE: OCSP Service Locator and RFC2459's Authority Information Access
Index(es):
- Date
- Thread