[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
Scott> Just wanted to comment on this: I agree with Paul. Since we seem
Scott> unable to produce a coherent specification with respect to
Scott> PKI-related
Scott> policies, when using certs the ID payload should not be
Scott> present. If we
I would agree, that if you said:
When using a PKIX-style certificate which is provided in a CERT payload
that the ID payload should not be set to anything other than ID_DER_ASN1_DN
or ID_DES_ASN1_GN.
The provided GN or DN MUST be identical to that in the certificate.
(It is redundant, I agree)
The appropriate policy can clearly be looked up by GN/DN.
So, I just don't get it.
It seems to me that if you are using a pre-exchanged certificate, or other
out-of-band certificate retrival system, that all ID payload types are
useful.
Scott> this topic. What a farce. For the last several weeks, I've been
Scott> trying
Scott> to get several ostensibly mature implementations to interoperate
Scott> using
Scott> certs, and I've not had much success. How sad.
The last time I tried this, it all failed because implementations could
not produce PKCS10 certificate requests, nor could they load self-signed
certificates. So there was no way to get public keys to the other side.
How have things "improved"?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPqWjRYqHRg3pndX9AQEKBAP+IvtYigYs6g3IH+ZW/BfGqjSqPqhM1DTq
lXQwqJcY1QXVCBaDdLZz0n2VxnAHerJM9SHwfzrRfEuhoml1vAKkQfw2qgw+xs74
o7tiAY+UtgntZAuKfX+kBeOBrKsM6AkoAyy/Ay5IR4m7j2AaJw6ml6pb9sjxDIo7
swn9K7+kIxU=
=biU5
-----END PGP SIGNATURE-----