On Friday, January 23, 1998 2:57 PM, jsp(_at_)jgvandyke(_dot_)com
[SMTP:jsp(_at_)jgvandyke(_dot_)com] wrote:
I respectfully disagree that the proposed "corporate key" extension in
the
user's cert should have the capability to contain the entire "corporate
key"
cert because this would be extremely inefficient. I believe that the
extension only needs to identify the "corporate key" cert (Issuer
GeneralNames and SerialNumber). There are many ways that the "corporate
key" cert can be distributed such as: CMS SignedData certificates field,
CMS
EnvelopedData originatorInfo field, LDAP, X.500, HTTP, etc. Once the app
has obtained the "corporate key" cert, then it will probably want to
store
only a single copy of the "corporate key" cert in its local database of
certs. If the entire "corporate key" cert was stored in every user's
cert,
then the app would have many redundant copies of the cert in its database
(within each user's cert).
I really do see your point John, and I agree about the bloat and
additional storage requirements, which is why I suggested the choice
between the identifier and the certificate itself. The most important
thing to me is to make sure that in the event that this (potentially
critical) extension is present, that there is a way to make sure that
the certificate to which it refers is present also.
I will say that your comments have me leaning towards not having the
entire cert inside.
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060