3 Jan 2008 17:53
Q on X.509 authentication in SSH draft
Jan Pechanec <Jan.Pechanec <at> Sun.COM>
2008-01-03 16:53:32 GMT
2008-01-03 16:53:32 GMT
hi, in 4.1 section of draft-ietf-secsh-x509-03.txt[1], where "x509v3-sign" format is defined, there is this sentence: >The first certificate in the list MUST be the end-entity one, and any >other certificates MUST be part of the end-entity certificate's path. depending on CA policy, not all certificates need to be accompanied with an OCSP response, but could it be assumed that OCSP response list is "sorted" according to certificates supplied? It means that one could just go through the certificate list and check the first not yet processed OCSP response for match whether it is the only SingleResponse in OCSP response or the first unprocessed SingleResponse as part of one OCSP response. I also assume that the certificate list is "sorted" but neither that is explicitly defined there and I think it should be. I don't see any problem for the party being authenticated to sent an already sorted list of OCSP responses. Well, I could live with the unsorted list, too, but the sorted list is just more efficient if we consider a long validation path. What is more important I think is that it would be nice if this is explicitly specified there. anyway, given all the options how it could be done, I'm thinking that it would be simpler to use a pair of strings for every certificate - the certificate itself and an optional OCSP response which could be an empty string. And it would be sorted for use of PKIX validation path algorithm. It wouldn't increase the length of the data much in comparison to the length of the certificates and one could easily separate them into two sorted list if needed.(Continue reading)
RSS Feed