[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-pki-profile-01.txt
Brian:
>>>>Please adjust the example description in section 3.3.11.3. There is no
>>>>requirement that a trust anchor be specified by a self-signed
>>>>certificate. The peer should never be asked to provide a certificate
>>>>associated with a trust anchor.
>>>
>>>3.3.11.3 doesn't state that R is a self-signed certificate. I'm
>>>also not sure that Trust Anchor is what most people will think of
>>>when they think of certificates for which they have cached the
>>>validity status. I see what you're saying, but I'm not sure
>>>how best to say it.
>>
>>The example should refer to an intermediate certificate (like CA1), not
>>the trust anchor (R).
>
>I'll change R to CA3 and add ", which can be a self-signed root
>or any other trust anchor".
The example should not discuss the self-signed certificate! The example
should discuss an intermediate certificate (like CA1) which is clearly part
of the certification path. The trust anchor, regardless of how it is
represented, is not part of the certification path that an implementation
sends to its peer.
Russ