RE: CA vs. EE cert processing

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

I think the issue saying that X.509 is broken - is somewhat wrong.   If
it broken - then whats the alternative??   Ditto X. things are
ambiguious - when most tec specs (and I can name a few) that have more
holes than substance.

X.509 is a information and functional specification that does not
dictate HOW to use things in operational systems. That is a PROFILING
issue. Its just that the PXIX work is now PROFILING X.509 and naturally
operational Usage issues need to be dealt with in this process..

regards alan


> -----Original Message-----
> From:	Paul Hoffman / IMC 
> Sent:	Wednesday, April 07, 1999 6:13 AM
> To:	Stephen Kent; ietf-pkix@imc.org
> Subject:	Re: CA vs. EE cert processing
> 
> This summary is great. However, I come to slightly different
> conclusions 
> than you do, based on the same logic. My conclusion is that X.509 by
> itself 
> is broken due to the (now glaring) ambiguity. RFC 2459, though no
> paragon 
> of clarity, fixes the problem of X.509. Thus, *any* CA vendor or cert 
> authority who doesn't follow RFC 2459, for at least this part of the
> cert, 
> is using a broken protocol.
> 
> <gratuitous-swipe>
> Folks who implement protocols that start with "X." are used to this
> kind of 
> ambiguity. Let them figure out how to fix it.
> </gratuitous-swipe>
> 
> Should we have added an "ConformsToRFC2459" attribute to RFC 2459?
> 
> --Paul Hoffman, Director
> --Internet Mail Consortium