Re: CONSENSUS CALL - #842 - Certificate path validation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: CONSENSUS CALL - #842 - Certificate path validation

Jeffrey Hutzelman
On Mon, 18 Apr 2005, Jeffrey Hutzelman wrote:

>
> I would like to see answers to the following questions:
>
> - Does the WG agree that certificate chains should be sent and validated
>   as described for "approach A" ?
> - Is there anyone who would prefer "approach B" over "approach A"?
>
>
> Please send your comments, even if you have commented on this issue before.
> Again, it is much easier for me to evaluate responses to a specific binary
> question than to try to interpret past messages.

      This topic was about making sure that it is possible for
      certificate chain validation to happen.  Back in April I
      performed a consensus call on what I called "Approach A".

      This approach requires that if one side sends all the certs
      needed to construct a valid path (excluding the root), then
      the receiving side MUST be capable of doing the validation.
      It also requires that both client and KDC be capable of
      sending the complete set of certs, if the right set of certs
      is provided through configuration or policy.

      Brian, Sam, Larry, and I all prefer approach A.
      Nico and Love both are equally happy with approach A or B.
      I was unable to find any comments from anyone else.
      So that means we had around 5 responses to the consensus call,
      all positive or neutral.  That, combined with my previous
      comments on expiration of consensus calls, leads me to believe
      that there is in fact consensus to go ahead with approach A.

      I note that PKINIT-26 already reflects this approach, so I
      will close ticket #842 without further comment.

-- Jeff