[x500standard] Re: Trust anchor information
- From: Carl Wallace <carl@xxxxxxxxxxxxxxxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Mon, 07 Apr 2014 06:38:01 -0400
From: DP-Security-Consulting <dp.sec.consulting@xxxxxxx>
Reply-To: <x500standard@xxxxxxxxxxxxx>
Date: Monday, April 7, 2014 at 4:00 AM
To: <x500standard@xxxxxxxxxxxxx>
Subject: [x500standard] Re: Trust anchor information
> <snip>
> The reason is the following: the fundamental point is how long you can trust
> that public key.
> It is indicated in both Certificate and TBSCertificate, but not in
> TrustAnchorInfo.
> So I would deprecate the use of TrustAnchorInfo and recommend the use of
> TBSCertificate
> in the case where Certificate cannot be used.
Please point to validation steps that use the validity period in either
Certificate or TBSCertificate when those structures are used as a TA. Also
note the validity period does appear in TrustAnchorInfo when it wraps a
certificate. It is only absent when using the TrustAnchorInfo to produce a
minimal encoding of the TA including only the name and key, which is not
something you can do with Certificate or TBSCertificate.
Other related posts:
