[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-pki-profile-01.txt
Brian:
Ref: section 3.3.11.3
>If trust anchors can be self-signed, what is wrong with
>pointing this out? IMHO it makes the example clearer,
>as I'm pointing out that CA3 may actually NOT be
>self-signed.
The document says:
Imagine that an implementation has previously received and cached the
peer certificate chain R->CA1->CA2->EE. If during a subsequent
exchange this implementation sends a CERTREQ containing the Subject
Name in certificate R, this implementation is requesting that the
peer send at least 3 certificates: CA1, CA2, and EE. On the other
hand, if this implementation also sends a CERTREQ containing the Sub-
ject Name of CA2, the implementation is providing a hint that only 1
certificate needs to be sent: EE.
This is fine. For some reason, I misread it, and thought that in the first
case the certificate for R was being transmitted. Upon rereading it, I see
otherwise. My objections dealt with the transmission of the certificate for R.
Sorry for the confusion,
Russ