[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Are repeated OIDs allowed in the AIA extension?

To: "'Russ Housley'" <housley@xxxxxxxxxx>, thayes@xxxxxxxxxxxx
Subject: RE: Q: Are repeated OIDs allowed in the AIA extension?
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Mon, 13 Dec 1999 18:06:45 -0800
Cc: ietf-pkix@xxxxxxx

Hi Russ,
    The clarification of AIA is pretty good. However, it doesn't
address Terry's question, which is can there be an AIA extension,
which has multiple OIDs with an accessMethod of id-ad-ocsp and
different accessLocations.

    We have definitely assumed that you can have this kind of
a situation, if you have multple URLs that point to legitimate
OCSP responders for your server.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Wednesday, December 08, 1999 8:02 AM
> To: thayes@netscape.com
> Cc: ietf-pkix@imc.org
> Subject: Re: Q: Are repeated OIDs allowed in the AIA extension?
> 
> 
> Terry:
> 
> We tried to clarify AIA in the revision to RFC 2459.  Please review 
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-
> 00.txt.  If 
> you still have questions, please post them in the context of 
> the new AIA text.
> 
> Russ
> 
> At 05:14 PM 12/7/99 -0800, Terry Hayes wrote:
> >All,
> >
> >This is a question about the constraints on the contents of the
> >Authority Information Access extension as defined in RFC 
> 2459.  This the
> >data value in this extension consists of a sequence of 
> OID/GeneralName
> >pairs.  The OID portion of the pair indicates the purpose of 
> the value,
> >while the GeneralName indicates where and (in some cases) 
> the protocol
> >to use to perform other operations related to the certificate.  The
> >current RFC does not specify any restriction on the values 
> stored in the
> >extension.  In particular, it doesn't seem to rule out pairs in the
> >sequence that have the same OID.
> >
> >I can imagine certificates that are issued that make use of the
> >capability to associate multiple location values (names) 
> with a single
> >OID.  For example:
> >
> >      OCSPResponder : http://ocsp.company.com
> >      OCSPResponder : http://ocsp.default.com
> >
> >This set of values in the AIA extension might indicate that two OCSP
> >responders are available for checking certificate status.  Also:
> >
> >      OCSPResponder: http://ocsp.company.com
> >      OCSPResponder: tcpmsg://ocsp.company.com:1111
> >
> >This configuration might indicate that OCSP is available over two
> >protocols (HTTP POST and a hypothetical standard TCP message 
> protocol).
> >The certificate client would be allowed to choose on that it has
> >implemented.
> >
> >Is this sort of repeated value allowed in AIA?
> >
> >Terry Hayes
> >thayes@netscape.com
>

Prev by Date: RE: Online PIN & Server Wallet
Next by Date: RE: certificate which has both AIA and CRL DPs
Previous by thread: Re: Q: Are repeated OIDs allowed in the AIA extension?
Next by thread: certificate which has both AIA and CRL DPs
Index(es):
- Date
- Thread