[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: *-CERT:

To: frantz@netcom.com (Bill Frantz)
Subject: Re: *-CERT:
From: Carl Ellison <cme@cybercash.com>
Date: Sat, 13 Jul 1996 13:08:41 -0400
Cc: spki@c2.org
Sender: owner-spki@c2.org

At 06:50 PM 7/12/96 -0700, Bill Frantz wrote:
>At  3:18 PM 7/12/96 -0400, Carl Ellison wrote:
>>Does anyone have a strong preference on whether to make the ISSUER-CERT and
>>SUBJECT-CERT fields optional vs. mandatory?
>
>What are the arguments for mandatory?  In general, I like the idea of
>maximum flexability.

I agree with you, as a matter of principle.  The arguments I see for
mandatory fields in a certificate are:

1) simplification of the code which interprets it
2) simplification of the process of analyzing security policies

on the theory that choices require effort (either in code or in humans).

OTOH, for various signed cache entries, there is no real use for these -CERT
fields.  The signed cache entry is likely to express a final result -- a
simple <auth> without a need for checking cert chains.  All of the chain
checking will have been done and will be reflected in the cache entry's
validity period.

So -- in this case, I would agree with you and opt for having -CERT be
optional.  That also allows a delivery of predecessor -CERT fields which
have no pointer but must be sent to the verifier alongside the cert itself
(ala SET).

 - Carl

Prev by Date: Re: draft of SPKI certificate internet-draft
Next by Date: epiphany
Prev by thread: Re: *-CERT:
Next by thread: Re: *-CERT:
Index(es):
- Main
- Thread