[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cross certification message protection (RFC2510)

To: "'Michael_Shanzer@xxxxxxxx'" <Michael_Shanzer@xxxxxxxx>
Subject: RE: Cross certification message protection (RFC2510)
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Mon, 12 Apr 1999 18:02:51 -0400
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi Mike,

Sorry for the long delay in responding, but I was out of town for over a
week when you posted your message and have been swamped with a number of
things since I got back.

> ----------
> From: 	Michael_Shanzer@iris.com[SMTP:Michael_Shanzer@iris.com]
> Sent: 	Thursday, March 25, 1999 4:17 PM
> To: 	Juergen.Walter@deh.de
> Cc: 	ietf-pkix
> Subject: 	Re: Cross certification message protection (RFC2510)
> 
> Juergen,
>      I am not really questioning the benifits/differences between signing
>      and generating a MAC. My question is about what appears to be a
> conflict
>      in the spec. In one place it says you must protect the message with a
> MAC,
>      and in another place it says you must protect the message with a
> digital
>      signature. I was wondering which section (B7 or 4.6.1) is correct.
 
Note that in some sense the conflict is only an illusion:  Section 4
describes mandatory functionality (i.e., every CMP-compliant entity MUST
support these functions, such as cross-certification); and Appendix B
describes the mandatory profile for those functions (i.e., these are the
sorts of values that MUST appear in various fields in order to support the
required functions).  However, since 4.6.1 steps a bit over the line and
talks about a particular mechanism to implement the function (i.e., the
MAC), then the mechanism in 4.6.1 should really align with B7 to save
confusion, even though technically it doesn't need to.

Note, too, that it doesn't matter whether 4.6.1 and B7 use MAC or SIG:  this
is only the minimum profile for interoperability.  In true IETF fashion,
compliant implementations must support the mandatory set of things, but are
perfectly free to never actually use them in day-to-day operation.  Thus,
Juergen need not be too concerned if the profile mandates MAC but he'd
rather use a SIG.

In any case, to keep confusion to a minimum, 4.6.1 and B7 should be aligned.
It seemed to me that SIG might be easier in practice (since CAs wishing to
cross-certify may already have trusted copies of each other's certificates),
but I'm happy to put MAC in B7 if you prefer (I've heard a couple of other
votes privately for MAC).  In terms of actual editing, this requires
slightly less typing than changing 4.6.1 to SIG...  :-)

I'm trying to collect a list of typos/issues/etc. that people have caught
with respect to RFC 2510.  Whenever there is an opportunity to update it
(e.g., if the Working Group decides to consider progressing it to Draft, as
it seems to be considering with RFC 2459), I will put these things in.

Thanks for noticing this and bringing it to my attention!

Carlisle.

Prev by Date: RE: About Diffie-Hellman algorithm and Shamir threshold
Next by Date: PKIX CMP: Transaction Identifier in use
Previous by thread: Re: Cross certification message protection (RFC2510)
Next by thread: Updated Project List for Minutes
Index(es):
- Date
- Thread