IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Comments on draft-ietf-secsh-x509-00
[WG chair hat off...]
I've been following the efforts of the PKI4IPsec working group as it
struggles to hash out a profile for the use of X.509 with IPsec.
In reading this document I'm struck by how little it says about what
ought to go inside certificates.
I would have hoped to see:
1) expected relationship(s), if any between the certificate Subject
and/or subjectAltName fields and the identity of the server or user
which owns the certificate. (This of course opens up the "Naming is
Hard" discussion.)
2) text regarding KeyUsage and ExtendedKeyUsage.
3) text regarding recommendations for certificate revocation checks.
4) discussion of how to handle certificate chains.
5) more text about the use of certificates for user authentication or a
claim that it's entirely out of scope for the document..
and I bet someone who actually follows PKIX closely would have a
somewhat longer list of concerns...
- Bill
Home |
Main Index |
Thread Index |
Old Index