[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-pki-profile-01.txt
On Friday, November 15, 2002, at 08:54 AM, Housley, Russ wrote:
> Brian:
>
>>>>> Please adjust the example description in section 3.3.11.3. There
>>>>> is no requirement that a trust anchor be specified by a
>>>>> self-signed certificate. The peer should never be asked to
>>>>> provide a certificate associated with a trust anchor.
>>>>
>>>> 3.3.11.3 doesn't state that R is a self-signed certificate. I'm
>>>> also not sure that Trust Anchor is what most people will think of
>>>> when they think of certificates for which they have cached the
>>>> validity status. I see what you're saying, but I'm not sure
>>>> how best to say it.
>>>
>>> The example should refer to an intermediate certificate (like CA1),
>>> not the trust anchor (R).
>>
>> I'll change R to CA3 and add ", which can be a self-signed root
>> or any other trust anchor".
>
> The example should not discuss the self-signed certificate! The
> example should discuss an intermediate certificate (like CA1) which is
> clearly part of the certification path. The trust anchor, regardless
> of how it is represented, is not part of the certification path that
> an implementation sends to its peer.
>
Russ,
If trust anchors can be self-signed, what is wrong with
pointing this out? IMHO it makes the example clearer,
as I'm pointing out that CA3 may actually NOT be
self-signed.
-brian
briank@xythos.com