Comments on draft-ietf-pkix-ac509prof-01.txt

[Sean Turner <turners@xxxxxxxx>]

Just a few comments/questions:

1. Can we add the text AA CA to the terminology section?  It is used in
section 5 and I think is pretty import.  Some suggested text (feel free
to modify it as you see fit): "AA CA  A CA that issues a PKC to an AA
indicating that it is allowed to issue ACs."

2. Clause 4.3.8 (issuerUniqueId) says: "This field MUST NOT be used."
shouldn't it be changed to say: "This field MUST be populated if the
AA's PKC includes the issuerUniqueId field.  Otherwise, this field MUST
NOT be used."  RFC2459 recommends that they not be included, but it
doesn't prohibit them.  In the case issuerUniqueIdentifier is present in
the AA's PKC, AC validation should check that they are present and both
match.

3. I think the first bullet in 5 (Attribute Certificate Validation)
should be changed to say: "The AC signature must be cryptographically
correct and the AC issuer's entire certification path (including the AC
issuer's PKC) MUST be verified in accordance with [RFC2459]."  On first
reading I wasn't sure that you only had to check the signature on the
issuer's PKC or the entire certificate path.  I think it's better to be
explicit.

4. Should we add a new "MUST satisfy" bullet in 5 that says: "The AC
issuer's distinguished name in issuerName.GeneralNames must match the
name in the AC issuer's PKC issuer field."  Or do you implicitly get
that check from checking the signature on the AC?

5. Right be the additional certification path checks in clause 5 there's
a parenthetical that should refer to (3) vice (2).

6.  Where is the format for the AC revocation list?  Are the revoked ACs
going to be put on the CRL or in some AC specific revocation list?

Thanks,

spt