[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Hi Michael,
Michael Richardson wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> >>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
> Scott> If the cert contents are not meaningful to the receiver, the discussion
> Scott> is moot, is it not?
>
> Not entirely. If the cert contents is not meaningful to the receiver,
> and the sender does not send an ID payload, then the negotiation fails.
I think we're talking past one another here. I meant that if the
contents aren't meaningful to the receiver, the receiver most likely
can't parse the cert or use the public key contained therein. I think
you must mean something different (like maybe the ID doesn't matter,
since the receiver only requires that the sender present a cert from a
given issuer).
<trimmed...>
>
> I agree that the ID payload is a problem.
> You'll get no argument from me.
> As I've said, I'd prefer to fix the ID payload.
>
> I am just concerned about the proposed solution of dropping the ID payload
> in this situation leads to lack of interoperability.
>
<trimmed...>
> I agree.
>
> As an alternative, how about:
>
> ID_PKIX_CERT 12
>
> No identifier is provided, derive one from the provided certificate.
This is essentially what Jim Knowles proposed (I think), and I think
this is a reasonable compromise. However, I think it will only improve
interoperability if all implementations are required to support it.
Scott