Re: cert chain processing

Rodney Thayer <rodney@tillerman.nu> Fri, 11 September 1998 01:43 UTC

Message-Id: <199809110057.UAA03920@2gn.com>
Date: Thu, 10 Sep 1998 21:54:30 -0400
To: Brian Swander <briansw@microsoft.com>
From: Rodney Thayer <rodney@tillerman.nu>
Subject: Re: cert chain processing
Cc: ipsec@tis.com
In-Reply-To: <39ADCF833E74D111A2D700805F1951EF053FA365@RED-MSG-06>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

requiring pkcs7 wrapping of things together doesn't add any value I can see.  You have to store all the certs anyway, you have to process them individually (check sigs, check names, check not-before and not-after times, etc. etc.)

You also can't be sure you'll get the entire chain at once, so you still have to process one at a time.


At 01:59 PM 9/10/98 -0700, you wrote:
>Is it possible to mandate that if sending a cert chain, it be sent as a
>single cert payload as pkcs7 wrapping of all necessary certs?
>
>I can't think of any good reason to support sending all the certs in
>arbitrary orders in the payload.
>
>Ex:
>
>Chain : Root, CA1, CA2, UserCert
>
>Possible payload:
>ID, CA2, Sig, CA1, User
>
>Much Better:
>
>ID, Cert, Sig where Cert contains all the necessary certs in one place.
>
>Of course its possible to grovel around the entire payload and build up the
>chain before processing the sig payload, but I see no benefit in supporting
>this complexity.
>
>Also, say someone wanted to send 2 chains, for whatever reason.  If we had
>it mandatory that chains sent as single cert payloads, this is easy.
>Supporting multiple chains with in the freeforall individual cert payload
>format is just stupid. 
>
>Comments?
>
>bs
>

cert chain processing Brian Swander
Re: cert chain processing Rodney Thayer