[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cert chain processing

To: Brian Swander <briansw@microsoft.com>
Subject: Re: cert chain processing
From: Rodney Thayer <rodney@tillerman.nu>
Date: Thu, 10 Sep 1998 21:54:30 -0400
Cc: ipsec@tis.com
In-Reply-To: <39ADCF833E74D111A2D700805F1951EF053FA365@RED-MSG-06>
Sender: owner-ipsec@ex.tis.com

requiring pkcs7 wrapping of things together doesn't add any value I can see.  You have to store all the certs anyway, you have to process them individually (check sigs, check names, check not-before and not-after times, etc. etc.)

You also can't be sure you'll get the entire chain at once, so you still have to process one at a time.


At 01:59 PM 9/10/98 -0700, you wrote:
>Is it possible to mandate that if sending a cert chain, it be sent as a
>single cert payload as pkcs7 wrapping of all necessary certs?
>
>I can't think of any good reason to support sending all the certs in
>arbitrary orders in the payload.
>
>Ex:
>
>Chain : Root, CA1, CA2, UserCert
>
>Possible payload:
>ID, CA2, Sig, CA1, User
>
>Much Better:
>
>ID, Cert, Sig where Cert contains all the necessary certs in one place.
>
>Of course its possible to grovel around the entire payload and build up the
>chain before processing the sig payload, but I see no benefit in supporting
>this complexity.
>
>Also, say someone wanted to send 2 chains, for whatever reason.  If we had
>it mandatory that chains sent as single cert payloads, this is easy.
>Supporting multiple chains with in the freeforall individual cert payload
>format is just stupid. 
>
>Comments?
>
>bs
>

References:

cert chain processing

From: Brian Swander <briansw@microsoft.com>

Prev by Date: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Next by Date: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Prev by thread: cert chain processing
Next by thread: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Index(es):
- Main
- Thread