IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: x.509 signature clarification?



On Thu, Jul 05, 2001 at 01:09:39PM -0600, Joseph Galbraith wrote:
> 
> I'm tempted to suggest that the signature is in PKCS #7
> format, though this seems to be a bit of an overkill...
> it would however, address both the above problems, because
> the digest algorithm would be specified as part of the PKCS #7
> packet.  We might consider specifying a PKCS #7 signature,
> with an "external signature" and no included certificates
> or CRL information.

Actually, I think that if we were to go with PKCS #7 (which might
not really be such a bad idea) we'd want to fill out the certificate
as fully as possible, including CRL information.  Look what's happened
to people who've failed to do so (e.g. VeriSign, who ended up in the
unenviable position of having issued bogus certificates but being unable
to revoke them!).

Certainly we should not specify that the CRL field is *not* to be
filled in.

Thor



Home | Main Index | Thread Index | Old Index