PKINIT -30 more editorial changes
Locked
PKINIT -30 more editorial changes
 
|
By copying comments to the main body, I have the following changes:
Section 3.2.1. The trustedCertifiers field of the type PA-PK-AS-REQ contains a list of CAs, trusted by the client, that can be used to certify the KDC. Each ExternalPrincipalIdentifier identifies a CA or a CA certificate (thereby its public key). The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type SignerIdentifier encoded according to [RFC3852]. This field identifies, if present, a particular KDC public key that the client already has. Sectin 3.2.2 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate (thereby its public key) trusted by the KDC. <<< cut>>> Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the TD-INVALID-CERTIFICATES structure identifies a certificate (that was sent by the client) with an invalid signature. <<< cut >> The digitalSignature key usage bit MUST be asserted when the intended purpose of the client certificate is restricted with the id-pkinit- KPClientAuth EKU. Section 3.2.3 The AD-INITIAL-VERIFIED-CAS structure identifies the certification path based on which the client certificate was validated. Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD- INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate (thereby its public key). Section 3.2.3.1 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce and optionally the expiration time of the KDC's DH key being reused. The subjectPublicKey field of the type KDCDHKeyInfo field identifies KDC's DH public key. This DH public key value is encoded as a BIT STRING according to [RFC3279]. The nonce field contains the nonce in the pkAuthenticator field in the request if the DH keys are NOT reused. The value of this nonce field is 0 if the DH keys are reused. The dhKeyExpiration field is present if and only if the DH keys are reused. If the dhKeyExpiration field is present, the KDC's public key in this KDCDHKeyInfo structure MUST NOT be used past the point of this expiration time. If this field is omitted then the serverDHNonce field MUST also be omitted. Section 3.2.4 The digitalSignature key usage bit MUST be asserted when the intended purpose of KDC certificate is restricted with the id-pkinit-KPKdc EKU. With these changes I believe there are NO comments that are not described in the main body of the text. -- Larry |
draft-ietf-cat-kerberos-pk-init-30.txt (57K)
Re: PKINIT -30 more editorial changes
|
|
Liqiang(Larry) Zhu wrote:
> By copying comments to the main body, I have the following changes: > > Section 3.2.1. > > The trustedCertifiers field of the type PA-PK-AS-REQ contains a list > of CAs, trusted by the client, that can be used to certify the KDC. > Each ExternalPrincipalIdentifier identifies a CA or a CA certificate > (thereby its public key). > > The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type > SignerIdentifier encoded according to [RFC3852]. This field > identifies, if present, a particular KDC public key that the client > already has. > > Sectin 3.2.2 > Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the > TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate > (thereby its public key) trusted by the KDC. > > <<< cut>>> > > Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the > TD-INVALID-CERTIFICATES structure identifies a certificate (that was > sent by the client) with an invalid signature. > > <<< cut >> > The digitalSignature key usage bit MUST be asserted when the intended > purpose of the client certificate is restricted with the id-pkinit- > KPClientAuth EKU. > > Section 3.2.3 > > The AD-INITIAL-VERIFIED-CAS structure identifies the certification > path based on which the client certificate was validated. Each > ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD- > INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate > (thereby its public key). > > > Section 3.2.3.1 > > 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce > and optionally the expiration time of the KDC's DH key being > reused. The subjectPublicKey field of the type KDCDHKeyInfo > field identifies KDC's DH public key. This DH public key value > is encoded as a BIT STRING according to [RFC3279]. The nonce > field contains the nonce in the pkAuthenticator field in the > request if the DH keys are NOT reused. The value of this nonce > field is 0 if the DH keys are reused. The dhKeyExpiration field > is present if and only if the DH keys are reused. If the > dhKeyExpiration field is present, the KDC's public key in this > KDCDHKeyInfo structure MUST NOT be used past the point of this > expiration time. If this field is omitted then the serverDHNonce > field MUST also be omitted. > > > Section 3.2.4 > > The digitalSignature key usage bit MUST be asserted when the intended > purpose of KDC certificate is restricted with the id-pkinit-KPKdc > EKU. > > With these changes I believe there are NO comments that are not > described in the main body of the text. > > -- Larry Jeffrey Altman |
Re: PKINIT -30 more editorial changes
|
|
| Free forum by Nabble | Edit this page |