I support this draft. I've read it many times in the past, and have implemented almost all of it (no CRMF), but, as often happens when re-reading an old document, I found a new issue, which could be construed as a nit if the authors agree that my rephrasing is what they meant.
Section 3.9.7: In this profile a single reference object to publication location of the immediate superior certificate MUST be used, except in the case where a CA distributes its public key in the form of a "self-signed" certificate, in which case the AIA field SHOULD be omitted. I think we need to change "MUST be used" to "MUST be present". "MUST be used" could be construed as constraining relying party behavior, which would rule out mechanisms such as Steve Kent's algorithm for constructing a local trust anchor. Since the choice of a trust anchor is, ultimately, up to the relying party, not the issuer, I don't think it's reasonable for the profile to constrain the relying party in this way. So it's ok to require the issuer to supply the AIA, but not to require the relying party to use it. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
