FIPS201 and the AIA CA-extension

Subject: FIPS201 and the AIA CA-extension
From: "Anders Rundgren" <anders.rundgren@telia.com>
Date: Sat, 16 Sep 2006 09:31:35 +0200
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"


RFC 3280   
   "The id-ad-caIssuers OID is used when the additional information lists
   CAs that have issued certificates *superior* to the CA that issued the
   certificate containing this extension.  The referenced CA issuers
   description is intended to aid certificate users in the selection of
   a certification path that terminates at a point trusted by the
   certificate user"

Assume I have a FIPS201 card (that as far as I can tell do not contain
any CA certificates at all), how can a TLS client locate the actual issuing
CA which is a requirement for the certificate filtering/selection to work[*]?

Anders

*] Unless the server downloads the entire path itself (as DNs) which
it cannot for "scheme" CAs where RPs do not have to have any
information about scheme subordinate CAs.

Prev by Date: Updated: New ways of achieving peer-to-peer encryption
Next by Date: PKI R&D Workshop - CFP Deadline Fast Approaching
Prev by thread: PKI R&D Workshop - CFP Deadline Fast Approaching
Next by thread: Updated: New ways of achieving peer-to-peer encryption

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov