Re: Comments on draft-ietf-secsh-x509-00

To: Henrick Hellstr?m <henrick%streamsec.se@localhost>
Subject: Re: Comments on draft-ietf-secsh-x509-00
From: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Date: Thu, 24 Mar 2005 10:25:27 -0500

On Thu, 2005-03-24 at 02:47, Henrick Hellstr?m wrote:

> >  3) text regarding recommendations for certificate revocation checks.
> > 
> >  4) discussion of how to handle certificate chains.
> 
> These two points are already covered by PKIX documents. I don't think 
> there are any secsh specific considerations here.

There's at least one:  we should either provide an in-band way to carry
cert chains, CRL's, OCSP, etc., or explicitly declare that such traffic
must flow out-of-band.

A use case which came up in pki4ipsec: a firewalled enclave with its pki
infrastructure inside it, with <insert protocol name here> as the only
way in. 

I was in some sense trolling for text explicitly ruling that use case
out of scope for this document....

						- Bill

Follow-Ups:
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Joseph Galbraith

References:
- Comments on draft-ietf-secsh-x509-00
  - From: Bill Sommerfeld

Prev by Date: Re: Comments on draft-ietf-secsh-x509-00
Next by Date: Re: draft-ietf-secsh-x509
Previous by Thread: Re: Comments on draft-ietf-secsh-x509-00
Next by Thread: Re: Comments on draft-ietf-secsh-x509-00
Indexes:

Home | Main Index | Thread Index | Old Index