[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names



>>
>>Could you change the wording of the third paragraph of section 3.2 to say:
>>
>>A root signing certificate
>>  ^^^^
>
>No.  If it's not at the top of the hierarchy then it's not a root.
>Been there, got that wrong.  You might not like my mandating 8 layers, and
>that's fine, but
>I am positive we'll need to deal with more than one-layer hierarchies.

Without the "root" specification, this paragraph (as well as the last
sentence of the second paragraph in section 3.3) precludes the sending
of certificate chains via IKE (which is fine with me since the proper
handling of chains received via IKE is not a simple matter :).

-dmason


Follow-Ups: