PKINIT -30 more editorial changes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKINIT -30 more editorial changes

Larry Zhu
By copying comments to the main body, I have the following changes:

Section 3.2.1.

   The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
   of CAs, trusted by the client, that can be used to certify the KDC.
   Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
   (thereby its public key).

   The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
   SignerIdentifier encoded according to [RFC3852].  This field
   identifies, if present, a particular KDC public key that the client
   already has.

Sectin 3.2.2
   Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
   TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
   (thereby its public key) trusted by the KDC.

 <<< cut>>>

   Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
   TD-INVALID-CERTIFICATES structure identifies a certificate (that was
   sent by the client) with an invalid signature.

<<< cut >>
   The digitalSignature key usage bit MUST be asserted when the intended
   purpose of the client certificate is restricted with the id-pkinit-
   KPClientAuth EKU.

Section 3.2.3

   The AD-INITIAL-VERIFIED-CAS structure identifies the certification
   path based on which the client certificate was validated.  Each
   ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
   INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
   (thereby its public key).


Section 3.2.3.1

   4.  The KDCDHKeyInfo structure contains the KDC's public key, a nonce
       and optionally the expiration time of the KDC's DH key being
       reused.  The subjectPublicKey field of the type KDCDHKeyInfo
       field identifies KDC's DH public key.  This DH public key value
       is encoded as a BIT STRING according to [RFC3279].  The nonce
       field contains the nonce in the pkAuthenticator field in the
       request if the DH keys are NOT reused.  The value of this nonce
       field is 0 if the DH keys are reused.  The dhKeyExpiration field
       is present if and only if the DH keys are reused.  If the
       dhKeyExpiration field is present, the KDC's public key in this
       KDCDHKeyInfo structure MUST NOT be used past the point of this
       expiration time.  If this field is omitted then the serverDHNonce
       field MUST also be omitted.


Section 3.2.4

   The digitalSignature key usage bit MUST be asserted when the intended
   purpose of KDC certificate is restricted with the id-pkinit-KPKdc
   EKU.

With these changes I believe there are NO comments that are not
described in the main body of the text.

-- Larry


draft-ietf-cat-kerberos-pk-init-30.txt (57K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT -30 more editorial changes

Jeffrey Altman
Liqiang(Larry) Zhu wrote:

> By copying comments to the main body, I have the following changes:
>
> Section 3.2.1.
>
>    The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
>    of CAs, trusted by the client, that can be used to certify the KDC.
>    Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
>    (thereby its public key).
>
>    The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
>    SignerIdentifier encoded according to [RFC3852].  This field
>    identifies, if present, a particular KDC public key that the client
>    already has.
>
> Sectin 3.2.2
>    Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
>    TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
>    (thereby its public key) trusted by the KDC.
>
>  <<< cut>>>
>
>    Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
>    TD-INVALID-CERTIFICATES structure identifies a certificate (that was
>    sent by the client) with an invalid signature.
>
> <<< cut >>
>    The digitalSignature key usage bit MUST be asserted when the intended
>    purpose of the client certificate is restricted with the id-pkinit-
>    KPClientAuth EKU.
>
> Section 3.2.3
>
>    The AD-INITIAL-VERIFIED-CAS structure identifies the certification
>    path based on which the client certificate was validated.  Each
>    ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
>    INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
>    (thereby its public key).
>
>
> Section 3.2.3.1
>
>    4.  The KDCDHKeyInfo structure contains the KDC's public key, a nonce
>        and optionally the expiration time of the KDC's DH key being
>        reused.  The subjectPublicKey field of the type KDCDHKeyInfo
>        field identifies KDC's DH public key.  This DH public key value
>        is encoded as a BIT STRING according to [RFC3279].  The nonce
>        field contains the nonce in the pkAuthenticator field in the
>        request if the DH keys are NOT reused.  The value of this nonce
>        field is 0 if the DH keys are reused.  The dhKeyExpiration field
>        is present if and only if the DH keys are reused.  If the
>        dhKeyExpiration field is present, the KDC's public key in this
>        KDCDHKeyInfo structure MUST NOT be used past the point of this
>        expiration time.  If this field is omitted then the serverDHNonce
>        field MUST also be omitted.
>
>
> Section 3.2.4
>
>    The digitalSignature key usage bit MUST be asserted when the intended
>    purpose of KDC certificate is restricted with the id-pkinit-KPKdc
>    EKU.
>
> With these changes I believe there are NO comments that are not
> described in the main body of the text.
>
> -- Larry
I support these changes.

Jeffrey Altman

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT -30 more editorial changes

Sam Hartman-5
In reply to this post by Larry Zhu
As an individual I support the changes Larry proposes.