Comments on draft-ietf-secsh-x509-00

To: ietf-ssh%netbsd.org@localhost
Subject: Comments on draft-ietf-secsh-x509-00
From: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Date: Wed, 23 Mar 2005 20:55:07 -0500

[WG chair hat off...]

I've been following the efforts of the PKI4IPsec working group as it
struggles to hash out a profile for the use of X.509 with IPsec.  

In reading this document I'm struck by how little it says about what
ought to go inside certificates.  

I would have hoped to see:

 1) expected relationship(s), if any between the certificate Subject
and/or subjectAltName fields and the identity of the server or user
which owns the certificate.  (This of course opens up the "Naming is
Hard" discussion.)

 2) text regarding KeyUsage and ExtendedKeyUsage.

 3) text regarding recommendations for certificate revocation checks.

 4) discussion of how to handle certificate chains.

 5) more text about the use of certificates for user authentication or a
claim that it's entirely out of scope for the document..

and I bet someone who actually follows PKIX closely would have a
somewhat longer list of concerns...

						- Bill

Follow-Ups:
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Oskari Saarenmaa
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Henrick Hellström

Prev by Date: Start of WG Last Call on: draft-ietf-secsh-newmodes-03.txt
Next by Date: Re: Comments on draft-ietf-secsh-x509-00
Previous by Thread: I-D ACTION:draft-ietf-secsh-x509-00.txt
Next by Thread: Re: Comments on draft-ietf-secsh-x509-00
Indexes:

Home | Main Index | Thread Index | Old Index