[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QC certificates MAY CERTAINLY be compared!

To: "Anders Rundgren" <anders.rundgren@xxxxxxxxxx>, "'SEIS-List'" <list@xxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Re: QC certificates MAY CERTAINLY be compared!
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Sat, 30 Oct 1999 00:01:27 +0200

Anders,

Thank you, I have noticed your comment.

The security considerations section contains CONSIDERATIONS for the general
case and I still believe in the intent behind this sentence, as a good
general guidance to implementations. 

Setting up implementations with the intent to compare two qualified
certificates to see if they represent the same person IS generally a bad
service that shouldn't be performed. Since in the general case, you will
have clear risk of misleading results.

Well, if you leave the general case and go into speciffic cases such as
comparing SEIS certificates within a local region (such as Sweden), then
there will allways be cases where some security considerations does not
apply (such as this particular one).

I think this is a minor issue within the security consideration section
which does not affect the implementation of the profile. Shure there are an
even better way of expressing the original intent behind that sentence. But
on the other hand,  there will allways be a better way of everything.

I think the present description is good enough. Can you live with it ?

/Stefan

At 17:55 1999-10-25 +0100, Anders Rundgren wrote:
>Stefan,
>I have said it before and I say it again.  The following QC-statement is 
>higly doubtful:
>
>"Comparing two qualified certificates to determine if they represent
> the same physical entity may provide misleading results and should
> not be performed"
>
>As you know our famous (?) SEIS-card does indeed allow certificates to
>be compared for subject identity.   That is IMO the whole (and only) point 
>with *real* ID-cards!
>
>So this is a statement of the CPS.  Not of the draft.
>
>
>
>BTW, why no explicit support for "container ID" (card serial) as most QCs 
>will be
>put in smart cards?  It was in SEIS already.
>
>
>Anders
>
>
>-----Original Message-----
>From: Stefan Santesson <stefan@accurata.se>
>To: ietf-pkix@imc.org <ietf-pkix@imc.org>
>Date: Monday, October 25, 1999 14:14
>Subject: New submitted draft for Qualified Certificates
>
>
>>All,
>>
>>A new draft for a Qualified Certificates Profile was submitted friday 22.
>>
>>The new draft can be obtained from:
>>http://www.accurata.se/QC/documents/draft-ietf-pkix-qc-02.txt
>>
>>The QC website has been udated accrodingly:
>>http://www.accurata.se/QC/
>>
>>See also under settled topics to obtain information about major
>>considerations since the last draft.
>>
>>/Stefan
>>-------------------------------------------------------------------
>>Stefan Santesson                <stefan@accurata.se>
>>Accurata AB                     http://www.accurata.se
>>Slagthuset                      Tel. +46-40 108588              
>>211 20  Malmö                   Fax. +46-40 150790              
>>Sweden                        Mobile +46-70 5247799
>>
>>PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
>>-------------------------------------------------------------------
>>

Prev by Date: Re: QC certificates and Nationality
Next by Date: Y2K, RFC 2459, . . .
Previous by thread: Re: QC certificates MAY CERTAINLY be compared!
Next by thread: Comments on dhpop-02
Index(es):
- Date
- Thread