[kmf-discuss] PKIX certificate path validation
Jan Pechanec
Jan.Pechanec at Sun.COM
Fri Dec 21 02:39:50 PST 2007
On Thu, 20 Dec 2007, Huie-Ying Lee wrote:
> I read the draft-ietf-secsh-x509-03.txt document today and I think for this to
> work,
> the number of the responses should be 1 less than the number of the
> certificates
> and they need to be in order.
the draft is quite vague, I think that the number of OCSP responses
might not correspond to the number of certificates at all. I think it could
be just half of them, for example.
> Currently, kmf_validate_cert() doesn't support this, but I think it is doable
> by adding 2 new attributes to it - a cert chain array and a response array.
> If a cert chain array is provided to kmf_validate_cert(), then the TA cert
> should be
> the last certificate in the chain.
yes. Given the option that OCSP responses for only some of the
certificates could be provided - would that be possible?
J.
--
Jan Pechanec
More information about the kmf-discuss
mailing list