[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] TAMP spec

<snip>

 

The key point is that CA issue self-signed certificates *without* constraints
in them, and it is up to the RPs or the TAS managers to decide which constraints
should be used with a given self-signed certificate.

[CW] We agree this is the key point – RPs or TAS managers must be able to decide.  TAF and TAMP provide two ways to accomplish this in your scenario – removal of the signature with constraints going in the extensions field of the remaining TBSCertificate structure or wrapping the entire certificate in a TrustAnchorInfo with constraints going in CertPathControls or extensions, as Geoff noted. 


These constraints will not be *within* the self-signed certificate but *outside*
of it. TAMP does not allow supporting this case, but should be able to support it.

[CW] Right, the constraints are not injected into the self-signed certificate.  I think it’s already been noted in a previous thread that even if a self-signed certificate is resident in a store, a TAS manager can add constraints by removing the self-signed certificate and adding it back as a TBSCertificate or TrustAnchorInfo.  This can be done in multiple messages or in a single message with the remove operation appearing before the add operation.  TAMP fully supports this case.

 

Denis

 

<snip>

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.