[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.



Hi Michael,

Michael Richardson wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> >>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
>     Scott> If the cert contents are not meaningful to the receiver, the discussion
>     Scott> is moot, is it not?
> 
>   Not entirely. If the cert contents is not meaningful to the receiver,
> and the sender does not send an ID payload, then the negotiation fails.

I think we're talking past one another here. I meant that if the
contents aren't meaningful to the receiver, the receiver most likely
can't parse the cert or use the public key contained therein. I think
you must mean something different (like maybe the ID doesn't matter,
since the receiver only requires that the sender present a cert from a
given issuer).

<trimmed...> 
> 
>   I agree that the ID payload is a problem.
>   You'll get no argument from me.
>   As I've said, I'd prefer to fix the ID payload.
> 
>   I am just concerned about the proposed solution of dropping the ID payload
> in this situation leads to lack of interoperability.
> 
<trimmed...> 
>   I agree.
> 
>   As an alternative, how about:
> 
>       ID_PKIX_CERT                      12
> 
>   No identifier is provided, derive one from the provided certificate.

This is essentially what Jim Knowles proposed (I think), and I think
this is a reasonable compromise. However, I think it will only improve
interoperability if all implementations are required to support it.

Scott