[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Options, was Re: To Be, or NR To Be ...

To: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: Re: Options, was Re: To Be, or NR To Be ...
From: Ed Gerck <egerck@xxxxxxx>
Date: Thu, 26 Aug 1999 13:52:53 -0700

Alfred Arsenault wrote:

> Ed,
>
>         Please accept my apologies if your feelings were hurt, but quite
> frankly I'm getting really tired of your continual twisting of my (and
> other people's words) to support whatever mindgame you have going on at
> the moment.

I regret that you interpret my messages as mindgames and that you choose 
to talk for others.  And, I also regret in the name of future dialogue 
that you have really not recalled your previous misstatements.  I also 
remind you that you have now more than two weeks of no-reply to my very
clear questions of August 11 -- even though you asked for them with the
now usual emphasis.

>               If you give me a signed certificate, and I want to determine if it is
> valid for my purposes as a relying party, I can get one of three
> results:
>         - yes, the certificate is valid;
>         - no, the certificate is invalid (for whatever reason, such as it
> expired, has been revoked, contains the wrong subject DN, etc.)
>         - I don't know; there's not enough information (because I can't trace
> back to a trust anchor, or I can't get the necessary CRL/OCSP response,
> etc.)

If you need to make a decision, it is always YES or NO.  A decision can't
be MAYBE or DON'T KNOW.

If I give you my signed certificate and you are going to decide whether to
rely on it in order to send me merchandise, then the "I don't know" case is NO.
However, if you need to rely on my certificate in order to send me a query
by email, then the "I don't know" case is YES.

Either way, the cert is verifiable because it is signed -- a value of either
YES or NO is assigned to the final state.

BTW, and that is what every browser does -- either the cert is accepted or
not according to the trust-points it has acquired, but a cert is always 
verifiable if signed.  Of course, you may argue that the  browser will not
be able to verify the cert if it is signed with a PGP syntax -- but, in 
fact, the browser is able, since it will refuse to accept the cert and the
final state in verification will be NO.

Cheers,

Ed Gerck

Prev by Date: Re: Options, was Re: To Be, or NR To Be ...
Next by Date: Re: Options, was Re: To Be, or NR To Be ...
Previous by thread: Re: Options, was Re: To Be, or NR To Be ...
Next by thread: Re: Options, was Re: To Be, or NR To Be ...
Index(es):
- Date
- Thread