Re: [IETF-PKIX] CMP draft question
Carlisle Adams <carlisle.adams@ENTRUST.COM> Tue, 10 February 1998 21:30 UTC
Return-Path: <owner-ietf-pkix@LISTS.TANDEM.COM>
Received: from consensus.com (mail.consensus.com [157.22.240.7]) by sparky.wovenword.com (8.8.5/8.8.5) with ESMTP id NAA00087 for <tim-mail-work-lists@wovenword.com>; Tue, 10 Feb 1998 13:30:17 -0800
Received: from talia.mis.tandem.com (130.252.226.155) by consensus.com with ESMTP (Eudora Internet Mail Server 1.2); Tue, 10 Feb 1998 14:32:25 -0700
Received: from suntan (suntan.tandem.com [192.216.221.8]) by talia.mis.tandem.com (8.8.7/8.8.7) with ESMTP id NAA18346; Tue, 10 Feb 1998 13:25:44 -0800 (PST)
Received: from LISTS.TANDEM.COM by LISTS.TANDEM.COM (LISTSERV-TCP/IP release 1.8c) with spool id 18966 for IETF-PKIX@LISTS.TANDEM.COM; Tue, 10 Feb 1998 13:25:34 -0800
Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.146]) by Tandem.com (8.8.8/2.0.1) with SMTP id NAA11305 for <ietf-pkix@tandem.com>; Tue, 10 Feb 1998 13:25:32 -0800 (PST)
Received: by mail.entrust.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD363F.50DF6860@mail.entrust.com>; Tue, 10 Feb 1998 16:17:00 -0500
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Approved-By: Carlisle Adams <carlisle.adams@ENTRUST.COM>
Message-ID: <c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-980210211659Z-12719@mail.entrust.com>
Date: Tue, 10 Feb 1998 16:16:59 -0500
Reply-To: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@LISTS.TANDEM.COM>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@LISTS.TANDEM.COM>
From: Carlisle Adams <carlisle.adams@ENTRUST.COM>
Subject: Re: [IETF-PKIX] CMP draft question
Comments: To: "gmd@openroute.com" <gmd@openroute.com>
To: IETF-PKIX@LISTS.TANDEM.COM
Status:
Hi Gina, >---------- >From: gmd@openroute.com[SMTP:gmd@openroute.com] >Sent: Tuesday, February 10, 1998 2:23 PM >To: Carlisle Adams; ietf-pkix@tandem.com >Subject: CMP draft question > > Hi! > > I have a question about the root CA fingerprint mentioned in >the CMP draft-ietf-pkix-ipki3cmp-06.txt. I was wondering if someone >could please clarify the procedure in section 4.1. In particular, >in the second paragraph, I find the use of the terms "this information" >and "this value" unclear when several values are referred to in the section. Is the following clearer? "In order to make the CA's self certificate useful to end entities that do not acquire the self certificate via "out-of-band" means, the CA must also produce a fingerprint for its public key. End entities that acquire this fingerprint securely via some "out-of-band" means can then verify the CA's self-certificate and hence the other attributes contained therein." >Also, how does the fingerprint allow an end entity to securely use the CAs >self-certificate, as mentioned in section 4.7.2? In order to trust the CA's public key, I either need a trusted copy of the key itself or I need a trusted fingerprint of the key. If I have the latter I can verify the self-signed certificate (which I may have acquired by any untrusted means) because I can compute the fingerprint of the key in the certificate, compare it with the fingerprint that I have, and (if they are equal) use the key to verify the certificate. Carlisle.
- [IETF-PKIX] CMP draft question Gina DePlanche
- Re: [IETF-PKIX] CMP draft question Carlisle Adams