Re: draft-ietf-ipsec-pki-profile-01.txt
Brian Korver <briank@xythos.com> Fri, 15 November 2002 20:42 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id gAFKggg10189; Fri, 15 Nov 2002 12:42:43 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA27105 Fri, 15 Nov 2002 15:02:12 -0500 (EST)
Date: Fri, 15 Nov 2002 11:59:09 -0800
Subject: Re: draft-ietf-ipsec-pki-profile-01.txt
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Mime-Version: 1.0 (Apple Message framework v546)
Cc: ipsec@lists.tislabs.com
To: "Housley, Russ" <rhousley@rsasecurity.com>
From: Brian Korver <briank@xythos.com>
In-Reply-To: <5.1.0.14.2.20021115115152.03435ac8@exna07.securitydynamics.com>
Message-Id: <B482E888-F8D4-11D6-A746-000393751598@xythos.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.546)
X-Envelope-To: ipsec@lists.tislabs.com, rhousley@rsasecurity.com
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Friday, November 15, 2002, at 08:54 AM, Housley, Russ wrote: > Brian: > >>>>> Please adjust the example description in section 3.3.11.3. There >>>>> is no requirement that a trust anchor be specified by a >>>>> self-signed certificate. The peer should never be asked to >>>>> provide a certificate associated with a trust anchor. >>>> >>>> 3.3.11.3 doesn't state that R is a self-signed certificate. I'm >>>> also not sure that Trust Anchor is what most people will think of >>>> when they think of certificates for which they have cached the >>>> validity status. I see what you're saying, but I'm not sure >>>> how best to say it. >>> >>> The example should refer to an intermediate certificate (like CA1), >>> not the trust anchor (R). >> >> I'll change R to CA3 and add ", which can be a self-signed root >> or any other trust anchor". > > The example should not discuss the self-signed certificate! The > example should discuss an intermediate certificate (like CA1) which is > clearly part of the certification path. The trust anchor, regardless > of how it is represented, is not part of the certification path that > an implementation sends to its peer. > Russ, If trust anchors can be self-signed, what is wrong with pointing this out? IMHO it makes the example clearer, as I'm pointing out that CA3 may actually NOT be self-signed. -brian briank@xythos.com
- draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt khaja.ahmed
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- RE: draft-ietf-ipsec-pki-profile-01.txt juha.ollila