[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cert chain processing

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: cert chain processing
From: Brian Swander <briansw@microsoft.com>
Date: Thu, 10 Sep 1998 13:59:57 -0700
Sender: owner-ipsec@ex.tis.com

Is it possible to mandate that if sending a cert chain, it be sent as a
single cert payload as pkcs7 wrapping of all necessary certs?

I can't think of any good reason to support sending all the certs in
arbitrary orders in the payload.

Ex:

Chain : Root, CA1, CA2, UserCert

Possible payload:
ID, CA2, Sig, CA1, User

Much Better:

ID, Cert, Sig where Cert contains all the necessary certs in one place.

Of course its possible to grovel around the entire payload and build up the
chain before processing the sig payload, but I see no benefit in supporting
this complexity.

Also, say someone wanted to send 2 chains, for whatever reason.  If we had
it mandatory that chains sent as single cert payloads, this is easy.
Supporting multiple chains with in the freeforall individual cert payload
format is just stupid. 

Comments?

bs

Follow-Ups:

Re: cert chain processing

From: Rodney Thayer <rodney@tillerman.nu>

Prev by Date: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Next by Date: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Prev by thread: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Next by thread: Re: cert chain processing
Index(es):
- Main
- Thread