Re: updated path validation text

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Tim,

Thanks for sending the section in advance, since we have not yet
since the draft, that was (?) posted by 5PM on October 22.  :-)

> Folks,
> 
> We are currently editing "son-of-RFC 2459" which should - no, *will* - be
> posted by 5PM on October 22 (that is, before the Washington meeting
> cut-off).  In general, that should be plenty of time to review and discuss
> before the meeting.  Most of it is minor stuff, and pretty straightforward.

(text deleted)

> Please take a long, hard look at this text!  Your comments are appreciated!

Since you asked, here is some feedback.

In RFC 2459, we had five state variables, now we have twelve !
Verifying the accuracy of the whole description can only be done
while implementing the specification. However, besides the
complexity, I would like to point to some concerns.

I tried to read the text as a new reader and found that the text on
contrained subtrees works fine when subject (DN) names are used, but
it is not clear to understand the description when subjectAltNames
are used in leaf certificates.

Another concern is the following : the whole approach is implictly
making the assumption that all the information for path validation
is within the certificates themselves. This is one approach. Another
approach, which can be used in combination, is to allow some of the
information normally carried out in certificates (e.g. the
equivalent of the contrained subtrees) to be defined in a local
policy. The text should allow for that alternative.

Denis
 
> Thanks,
> 
> Tim Polk