[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] TAMP spec

From: Thomas Pornin <pornin at bolet.org>
To: pkix <pkix at ietf.org>
Date: Fri, 20 Nov 2009 14:30:23 +0100
In-reply-to: <DreamMail__124515_02060832327 at msga-001.frcl.bull.fr>
References: <FAD1CF17F2A45B43ADE04E140BA83D48E0E120 at scygexch1.cygnacom.com> <DreamMail__124515_02060832327 at msga-001.frcl.bull.fr>
List-id: PKIX Working Group <pkix.ietf.org>

On Fri, Nov 20, 2009 at 12:45:15PM +0100, Denis Pinkas wrote:
> These constraints will not be *within* the self-signed certificate

Where is the problem ? Nobody cares about the certificate to be
_self-signed_ since it is a TA; there is no point in verifying that
signature. Correspondingly, anyone can reencode the certificate with
arbitrary extensions within it; this merely invalidates the signature,
which nobody looks at anyway.


	--Thomas Pornin

Follow-Ups:
- Re: [pkix] TAMP spec
  - From: Denis Pinkas

References:
- Re: [pkix] TAMP spec
  - From: Carl Wallace
- Re: [pkix] TAMP spec
  - From: Denis Pinkas

Prev by Date: Re: [pkix] TAMP spec
Next by Date: Re: [pkix] way forward for 5280
Previous by thread: Re: [pkix] TAMP spec
Next by thread: Re: [pkix] TAMP spec
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.