Re: draft-ietf-ipsec-pki-profile-01.txt
"Housley, Russ" <rhousley@rsasecurity.com> Fri, 15 November 2002 17:28 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id gAFHSbg24499; Fri, 15 Nov 2002 09:28:37 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA26399 Fri, 15 Nov 2002 12:08:10 -0500 (EST)
From: "Housley, Russ" <rhousley@rsasecurity.com>
To: Brian Korver <briank@xythos.com>
Cc: ipsec@lists.tislabs.com
Message-Id: <5.1.0.14.2.20021115115152.03435ac8@exna07.securitydynamics.com>
X-Sender: rhousley@exna07.securitydynamics.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 15 Nov 2002 11:54:09 -0500
Subject: Re: draft-ietf-ipsec-pki-profile-01.txt
In-Reply-To: <340081CC-F845-11D6-A746-000393751598@xythos.com>
References: <5.1.0.14.2.20021113111442.0343e4a0@exna07.securitydynamics.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Brian: >>>>Please adjust the example description in section 3.3.11.3. There is no >>>>requirement that a trust anchor be specified by a self-signed >>>>certificate. The peer should never be asked to provide a certificate >>>>associated with a trust anchor. >>> >>>3.3.11.3 doesn't state that R is a self-signed certificate. I'm >>>also not sure that Trust Anchor is what most people will think of >>>when they think of certificates for which they have cached the >>>validity status. I see what you're saying, but I'm not sure >>>how best to say it. >> >>The example should refer to an intermediate certificate (like CA1), not >>the trust anchor (R). > >I'll change R to CA3 and add ", which can be a self-signed root >or any other trust anchor". The example should not discuss the self-signed certificate! The example should discuss an intermediate certificate (like CA1) which is clearly part of the certification path. The trust anchor, regardless of how it is represented, is not part of the certification path that an implementation sends to its peer. Russ
- draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt khaja.ahmed
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- RE: draft-ietf-ipsec-pki-profile-01.txt juha.ollila