[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CERT records
- To: lewis@tislabs.com, DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
- Subject: Re: CERT records
- From: "Stefan Kelm" <kelm@secorvo.de>
- Date: Tue, 14 Nov 2000 19:38:59 +0100
- Delivery-date: Tue, 14 Nov 2000 12:13:33 -0800
- Envelope-to: namedroppers-data@psg.com
- Organization: Secorvo Security Consulting GmbH
Ed,
> Refering to RFC 2538, is it worth proposing a new "certificate type value"
> for a PKIX X509 CRL?
>
> There is a value (1) for X509 PKIX certificates. It could be argued that
> this value should be used for CRLs.
>
> The reason I am floating this is because of a decidedly non-protocol issue.
> In Java there are classes for X509Certificate and X509CRL. Becuase of the
> language's inheritence model [1], the two cannot be treated as the other
> safely. Ergo, when I get bits from DNS, I have to know ahead of time
> whether the bits are a Certificate or a CRL[2]. Knowing ahead of time
> could be made easy through a new certificate type value.
this makes a lot of sense, esp. since CRLs tend to grow very large in
real-life environments. However, we need to be careful to avoid
ambiguities since RFC 2538 allows for both certificates and CRLs to
be carried inside a CERT RR. So, someone who implements only RFC 2538
might not be able to check a new CRL RR. Maybe an OID could indeed
be used.
Cheers,
Stefan.
-------------------------------------------------------
Dipl.-Inform. Stefan Kelm
Security Consultant
Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe
Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail kelm@secorvo.de, http://www.secorvo.de
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.