Hi Denis, I haven't looked at the rest of your email, but I don't understand this portion of your commentary: On Mon, Nov 16, 2009 at 04:23, Denis Pinkas <denis.pinkas at bull.net> wrote: > > I am still wondering whether the draft complies with > draft-ietf-pkix-ta-mgmt-reqs-04. > On page 11, we have: > > 3.5. RFC 5280 Support > 3.5.1. Functional Requirements > A trust anchor management protocol MUST enable management of trust > anchors that will be used to validate certification paths and CRLs in > accordance with [RFC5280] and [RFC5055]. A trust anchor format MUST > enable the representation of constraints that influence certification > path validation or otherwise establish the scope of usage of the > trust anchor public key. Examples of such constraints are name > constraints, certificate policies, and key usage. > > The problem is that the current format does not allow a RP or a TAS manager > to add constraints > to a self-signed certificate. This limitation should be mentioned in the > TAMP draft > (or the TAMP draft should be changed). > To add constraints to a self-signed certificate, you simply wrap it in a TrustAnchorInfo structure. This works well. The certificate field of the CertPathControls structure lets you keep the self-signed certificate and add your constraints.Other fields of TrustAnchorInfo can be filled in as part of your store management process. Regards, Geoff
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.