I've read the draft, and I think it is appropriate as a starting point for a trust model document in WPKOPS.
The draft says (section 1.2) that root CAs have root certificates, which are self-signed certificates. That last bit is not required by either RFC 5280 or RFC 6024. RFC 5280 defines cross-certificates (which are CAs) as certificates having different subject and issuer. IOW they're just not self-issued. What makes a CA (and its certificate) "root"is not that they're self-issued or self-signed, but the fact that they are present in the trust anchor store. It's common for the public CAs to be self-signed, but I've tested Firefox, Microsoft, and Apple's store, and they all accept non-self-signed certificates as trusted roots. So I'd replace "a self-signed certificate" with "a certificate, typically self-signed" But this does not detract from my opinion that this draft should be adopted. Yoav On Jun 19, 2013, at 5:23 PM, Sharon Boeyen <[email protected]<mailto:[email protected]>> wrote: Our WG charter includes a milestone for adoption of the 1st WG draft of the trust models paper this month. Only a few comments on the current individual draft have been received and a response on how they will be addressed was sent to the list yesterday. Please comment on whether or not you are prepared to adopt the paper (with the promised changes) as the first wpkops WG draft. In order to give the authors time to update the draft and submit before the cutoff in early July it is important to get the WG feedback asap. Please provide a Yes/No indication to the mail list within the next week. Also, if you have any additional comments on the draft please submit them asap as well. Cheers, Sharon
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
