On 7 Oct 1997, "Blake Ramsdell" <BlakeR(_at_)deming(_dot_)com> said:
This way, there is a clear separation between the certs that
are used for signing and the certs used for enveloping. The
downside is that if there are any common certs in the chain
(for the same PCA in a hierarchy, for instance), then these
will be transmitted redundantly.
Blake,
This doesn't necessarily have to be a problem either.
Since you will need to have some kind of procedural text for use
of the attribute anyway, simply state that any certificate need
be included "at most once" in the attribute. This will require
that products keep all the certs from the first path until they
are finished validating the second, but that is probably not
much of a burden. (Other views on this? :-)
Chris
---------------------------------------------------------------
| International Electronic Communication Analysts, Inc. |
| Christopher D. Bonatti 9010 Edgepark Road |
| Vice-president Vienna, Virginia 22182 |
| bonattic(_at_)ieca(_dot_)com Tel: 301-212-9428 Fax: 703-506-8377 |
| PGP public key available from "http://www.ieca.com/"; |
---------------------------------------------------------------