[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cert chain satisfaction hints
Carl Ellison wrote:
> when 5-tuple reduction fails to find a certificate chain to validate a
>request, it should give the caller hints about what would be needed to
>satisfy that request -- or at least to make progress. One hint is available
>automatically: the cert which was looking for a predecessor cert (if
>you're working backwards from the request) or the cert looking for a
>successor (if you're working forward from an ACL entry). If there were
>multiple possible threads, only one of which had to be satisfied, then there
>might be multiple raw ends which could be reported back to the caller.
> Of course, as Ron keeps pointing out, it's the job of the requester to find
>and supply the right certificates, so the verifier would probably just ship
>the relevant certificates back to the requester and let him determine what
>to do next.
Working "forward" from an ACL entry, or minimally ensuring that at least one
of the certificates presented for validation was authored by the verifier,
seems needed to avoid possible circularity. For example, I might create a
ring of 5 (or 10 or more) certificates A --> B --> C ... --> A and submit
then to a verifier, just to see what happens.
___TONY___ (GAK me with a spoon)