[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Q: Are repeated OIDs allowed in the AIA extension?

To: ietf-pkix@xxxxxxx
Subject: Q: Are repeated OIDs allowed in the AIA extension?
From: thayes@xxxxxxxxxxxx (Terry Hayes)
Date: Tue, 07 Dec 1999 17:14:44 -0800

All,

This is a question about the constraints on the contents of the
Authority Information Access extension as defined in RFC 2459.  This the
data value in this extension consists of a sequence of OID/GeneralName
pairs.  The OID portion of the pair indicates the purpose of the value,
while the GeneralName indicates where and (in some cases) the protocol
to use to perform other operations related to the certificate.  The
current RFC does not specify any restriction on the values stored in the
extension.  In particular, it doesn't seem to rule out pairs in the
sequence that have the same OID.

I can imagine certificates that are issued that make use of the
capability to associate multiple location values (names) with a single
OID.  For example:

     OCSPResponder : http://ocsp.company.com
     OCSPResponder : http://ocsp.default.com

This set of values in the AIA extension might indicate that two OCSP
responders are available for checking certificate status.  Also:

     OCSPResponder: http://ocsp.company.com
     OCSPResponder: tcpmsg://ocsp.company.com:1111

This configuration might indicate that OCSP is available over two
protocols (HTTP POST and a hypothetical standard TCP message protocol).
The certificate client would be allowed to choose on that it has
implemented.

Is this sort of repeated value allowed in AIA?

Terry Hayes
thayes@netscape.com

Follow-Ups:
- Re: Q: Are repeated OIDs allowed in the AIA extension?
  - From: Russ Housley

Prev by Date: No, was Re: QC biometrics needs re-engineering NOW!
Next by Date: certificate which has both AIA and CRL DPs
Previous by thread: Re: Consensus Text for key usage?
Next by thread: Re: Q: Are repeated OIDs allowed in the AIA extension?
Index(es):
- Date
- Thread