Re: Revised "RFC [FORMS]" draft

The document has the following substantive changes from earlier
drafts:


Hi Burt-

Here are my initial reactions to the changes.

1. "Notary" and "co-issuer" certificate-signing services are removed,
   since they are a policy certification authority (PCA) matter.


Good.

2. "Prototype certificates" (certificates with a digest in place of a
   signature) are replaced with a simple type consisting of the
   requestor's distinguished name, public key, and signature on the
   two. "Prototype certificates" were a carryover from the "co-issuer"
   service. With that service removed, the simpler type is sufficient.
   The signature on the name and public key prevents a requestor from
   requesting a certificate with another party's public key.


Hmmm...  Perhaps not so good.  "Prototype certificates" weren't just a
"carryover", they were also a minor variation of regular certificates,
and prototype certificate request messages were a minor variation of
normal MIC-{CLEAR,ONLY} messages.  Both were very easy to implement as
minor variations of existing code.  Now, you're introducing a whole new
message type with a whole new object and the need to implement new sets
of code for handling the new message and object.

3. CRLs to be retrieved are identified by an issuer name encoded in
   printable ASCII (as in RFC [1113E] messages), rather than a
   "user-friendly name," to simplify implementation. (No other part of
   the PEM suite supports "user-friendly names.")

Ok.

4. Syntax for the requests and replies generally follows RFC [1113F],
   with the introduction of two new process types, "CERT-REQUEST" and
   "CRL-RETRIEVAL-REQUEST."


Well, I guess I'm potentially uneasy about RFC [FORMS] defining new PEM
message types.  Perhaps PEM message types should only be defined in the
new RFC 1113?

The old RFC FORMS simply made minor variations existing PEM message
types, and I think I'm more comfortable with that, in part for the
reasons I mention above for wanting to retain prototype certificates
and prototype certificate request messages, but also for consistency.

How do others feel about this?

-DB

<Prev in Thread]	Current Thread	[Next in Thread>
Revised "RFC [FORMS]" draft, Burt Kaliski Re: Revised "RFC [FORMS]" draft, David M. Balenson <= Re: Revised "RFC [FORMS]" draft, Charles W. Gardiner Revised "RFC [FORMS]" draft, Burt Kaliski Re: Revised "RFC [FORMS]" draft, Steve Kent Revised "RFC [FORMS]" draft, Jeff Thompson Re: Revised "RFC [FORMS]" draft, Steve Kent Revised "RFC [FORMS]" draft, Burt Kaliski Re: Revised "RFC [FORMS]" draft, Steve Kent Revised "RFC [FORMS]" draft, Jeffrey I. Schiller Re: Revised "RFC [FORMS]" draft, James M Galvin Revised "RFC [FORMS]" draft, Burt Kaliski

Previous by Date:	Trees, forests and thickets, Stephen D Crocker
Next by Date:	Re: Two certificate hierarchy questions, Stephen D Crocker
Previous by Thread:	Revised "RFC [FORMS]" draft, Burt Kaliski
Next by Thread:	Re: Revised "RFC [FORMS]" draft, Charles W. Gardiner
Indexes:	[Date] [Thread] [Top] [All Lists]