cert chain processing

Brian Swander <briansw@microsoft.com> Thu, 10 September 1998 20:42 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA25323 for ipsec-outgoing; Thu, 10 Sep 1998 16:42:57 -0400 (EDT)
Message-ID: <39ADCF833E74D111A2D700805F1951EF053FA365@RED-MSG-06>
From: Brian Swander <briansw@microsoft.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: cert chain processing
Date: Thu, 10 Sep 1998 13:59:57 -0700
X-Mailer: Internet Mail Service (5.5.2232.9)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Is it possible to mandate that if sending a cert chain, it be sent as a
single cert payload as pkcs7 wrapping of all necessary certs?

I can't think of any good reason to support sending all the certs in
arbitrary orders in the payload.

Ex:

Chain : Root, CA1, CA2, UserCert

Possible payload:
ID, CA2, Sig, CA1, User

Much Better:

ID, Cert, Sig where Cert contains all the necessary certs in one place.

Of course its possible to grovel around the entire payload and build up the
chain before processing the sig payload, but I see no benefit in supporting
this complexity.

Also, say someone wanted to send 2 chains, for whatever reason.  If we had
it mandatory that chains sent as single cert payloads, this is easy.
Supporting multiple chains with in the freeforall individual cert payload
format is just stupid. 

Comments?

bs

cert chain processing Brian Swander
Re: cert chain processing Rodney Thayer