Re[2]: Proposed new X.509 certificate

Charlie --

     If you decide to go your own way, there is a problem with PKCS #6 
     (and also with your proposal) that you should probably fix.  
     Additional attributes in the certificate should be in two groups: 
     Class 1 are attributes that if you don't know what they mean, you 
     should ignore them (e.g. internet mail address), while Class 2 
     are attributes that if you don't know what they mean, you should
     reject the certificate (e.g. Disclaimers).  That would enable you 
     to add new attributes without changing the standard *and* without 
     giving up interoperability with existing implementations.

This is something to consider for the next PKCS #6, as well as for 
X.509's revision. I've heard of similar ideas in X.500 directory 
services, where some attributes on service requests can be ignored, 
and others are essential. Thanks for the suggestion.

-- Burt

<Prev in Thread]	Current Thread	[Next in Thread>
Proposed new X.509 certificate, jueneman%wotan Re: Proposed new X.509 certificate, kaufman Re: Proposed new X.509 certificate, jueneman%wotan Re: Proposed new X.509 certificate, jueneman%wotan Re: Proposed new X.509 certificate, kaufman Re[2]: Proposed new X.509 certificate, burt <= Re: Proposed new X.509 certificate, jueneman%wotan Re: Proposed new X.509 certificate, jueneman%wotan Re: Proposed new X.509 certificate, Jeff Kimmelman

Previous by Date:	Re: Are X.500 names feasible?, Mr Rhys Weatherley
Next by Date:	IPRA status, Wolfgang Schneider
Previous by Thread:	Re: Proposed new X.509 certificate, kaufman
Next by Thread:	Re: Proposed new X.509 certificate, jueneman%wotan
Indexes:	[Date] [Thread] [Top] [All Lists]