[Top] [All Lists]

Re: cert-03 - signature validation failure

1998-04-13 06:35:57
From: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>

At 09:50 AM 4/10/98 -0400, John Pawling wrote:
The reporting of cert
path validation errors is not specific to S/MIME.  It is a topic that
belongs in the PKIX WG, not S/MIME WG.

I agree with John here. I think that this topic should be brought up in
PKIX, where there is a document on cert policies (that has gone without
almost any discussion as far as I can tell).

I agree with Paul and John on the narrow issue of cert path validation
errors.  However, the specific error codes which might result from any
particular processing module (and ASN.1 syntax for status reporting)
are the twigs on a tree; Elliott is looking at the forest.

S/MIME should say more than it now says to encourage vendors to allow
customers to configure products.  Recommending that the results of cert
path validation (PKIX-specific) or ESSSecurityLabel processing
(S/MIME-specific) be made available in a form that allows customers
to implement their own security policies is a step in the right

From: Elliott Ginsburg <ginsburg(_at_)mitre(_dot_)org>

My suggestion of having a set of identified
errors was an attempt to push products in this direction.

I'm certainly open to any suggestions of how to proceed. I've considered
the possibility of, rather than requiring anything, instead including a
good discussion in the security section to at least make sure this issue is
well inderstood.

Eminently reasonable.