Blake:
Message Draft comments
6. Section A - Changing to an ASN module would be considered niceness but
not necessity. I an finding that I use ASN modules more and more for
creation of ASN encode/decode functions. Given that we now have several
different ASN structures in this appendix, I would like to see this combined
into an ASN module. I can create this if desired.
I strongly agree. So, I have assigned an OID for the module identifier.
id-mod-msg-v3 OBJECT IDENTIFIER ::= { id-mod 4 }
Certificate Draft comments
4. Section 2.3 - P#3 - Given inheritance of DSA parameters do we need to
modify the statement on not sending the root CA cert. Messages are not even
internally validatable with out the root in some cases.
I agree. We should not prohibit the inclusion of root certificates (or any
certificate).
8. Section 4.4.1 - We have a big conflict with PKIX. We say
basicConstraints should appear, they say it should not. My personal opinion
on this one is that PKIX is wrong and we should not change it, but I raise
this as an incompatiblity between the two drafts.
Very good catch.
MSG-06 says: "Certificates SHOULD contain a basicConstraints extension."
PKIX Part 1 requires the basicConstraints extension to be present in CA
certificates, and it says that the basicConstraints extension should not be
present in end-entity certificates.
I sugest that we adopt the PKIX Part 1 text.
9. Section 4.4.1 - Should we add the same criticality statement as occurs in
PKIX -- i.e. MUST be critical if it appears. I recommend that we strike the
criticality statment in 4.4.2 as it duplicates information in PKIX part1.
I agree. When the the basicConstraints extension is present, it MUST be
critical.
Russ