Re: Security AD Review of draft-ietf-pkix-ipki3cmp-05.txt
Bob Jueneman <BJUENEMAN@novell.com> Wed, 12 November 1997 21:15 UTC
Return-Path: <BJUENEMAN@novell.com>
Received: from consensus.com (mail.consensus.com [157.22.240.7]) by sparky.wovenword.com (8.8.5/8.8.5) with ESMTP id NAA01493 for <tim-mail-work-lists@wovenword.com>; Wed, 12 Nov 1997 13:15:45 -0800
Received: from Tandem.com (192.216.221.8) by consensus.com with ESMTP (Eudora Internet Mail Server 1.2); Wed, 12 Nov 1997 14:12:38 -0700
Received: from novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by Tandem.com (8.8.8/2.0.1) with SMTP id MAA28789 for <ietf-pkix@tandem.com>; Wed, 12 Nov 1997 12:03:46 -0800 (PST)
Received: from INET-PRV-Message_Server by novell.com with Novell_GroupWise; Wed, 12 Nov 1997 13:03:03 -0700
Message-Id: <s469a907.051@novell.com>
X-Mailer: Novell GroupWise 4.1
Date: Wed, 12 Nov 1997 13:02:25 -0700
From: Bob Jueneman <BJUENEMAN@novell.com>
To: kent@bbn.com, cadams@entrust.com, jis@mit.edu, stephen.farrell@sse.ie, wford@verisign.com
Cc: ietf-pkix@tandem.com
Subject: Re: Security AD Review of draft-ietf-pkix-ipki3cmp-05.txt
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Status:
Jeffrey, >From section 1.3 (requirements) > >> 10. Final authority for certification creation rests with the CA; no >> RA or end-entity equipment can assume that any certificate issued by a >> CA will contain what was requested -- a CA may alter certificate field >> values or may add, delete or alter extensions according to its operating >> policy; the only exception to this is the public key, which the CA must >> not modify (assuming that the CA was presented with the public key >> value). In other words, all PKI entities (end-entities, RAs, and CAs) >> must be capable of handling responses to requests for certificates in >> which the actual certificate issued is different from that requested >> (for example, a CA may shorten the validity period requested). Regardless of what portion of a requested certificate might be changed by the CA, the text of the requirements should be changed to clarify the fact that the requesting subscriber (end-user, normally) is responsible for reviewing and approving the modifications made, if any. If the subscriber does not approve the certificate contents, the CA may not publish or otherwise distibute the certificate. Cf. the ABA Digital Signature Guidelines, para 1.1, 3.8, and 4.2. The DSG are available at http://www.abanet.org/scitech/ec/isc/dsgfree.html. What rights the RA should have to review and approve the revised certificate would be an interesting question, as the role that an RA plays that is independent of the CA has not been adequately developed, IMHO. Bob Robert R. Jueneman Security Architect Novell, Inc. Network Services Division 122 East 1700 South Provo, UT 84604 801/861-7387 bjueneman@novell.com "If you are tring to get to the moon, climbing a tree, although a step in the right direction, will not prove to be very helpful." "The most dangerous strategy is to cross the chasm in two leaps."
- FW: Security AD Review of draft-ietf-pkix-ipki3cm… Carlisle Adams
- Re: Security AD Review of draft-ietf-pkix-ipki3cm… Bob Jueneman
- RE: Security AD Review of draft-ietf-pkix-ipki3cm… Jeffrey I. Schiller
- Re: RE: Security AD Review of draft-ietf-pkix-ipk… Mike Smith
- RE: Security AD Review of draft-ietf-pkix-ipki3cm… Jeffrey I. Schiller
- RE: Security AD Review of draft-ietf-pkix-ipki3cm… Jeffrey I. Schiller
- RE: Security AD Review of draft-ietf-pkix-ipki3cm… Carlisle Adams
- Security AD Review of draft-ietf-pkix-ipki3cmp-05… Jeffrey I. Schiller