Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Fri, 26 Jul 2002, Scott Cantor wrote:

> I think that's the underspecified part.

No, the underspecified part is the intent of:

   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   -- TLS WWW server authentication
   -- Key usage bits that may be consistent: digitalSignature,
   -- keyEncipherment or keyAgreement

Is the "TLS WWW server authentication" prescriptive or only an example?
If it's prescriptive then compliant implementations would have to reject
use of such certs with SSL 3.0, with IMAP, etc, as I have suggested.  If
it's not prescriptive, then what defines "serverAuth"?  If my "server" is
using this cert to identify itself, is that OK, even if it happens to be
acting as in the client role as defined by some particular protocol?  How
about in a peer-to-peer protocol that doesn't distinguish client from
server?

The PKIX spec should leave the interpretation of purpose up to protocol
specs, and up to profiles of those protocols for particular real-world
purposes, like Shib.  It's completely stupid for this spec to try to
specify this stuff.

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--