| | | | | | | | |
|
|
|
You're here: Home |
Rob Austein wrote:
At Tue, 18 Sep 2007 05:16:40 +1000, Geoff Huston wrote:The key parts of Rob's response last week as I understood it was:a) the id-ad-manifest field of the SIA refers to the subject's manifest that describes what is in the subject's SIA.Er, maybe. You've phrased it differently enough from the way that I would have that I can't tell whether we're communicating. Try this: The id-ad-caRepository and id-ad-manifest components of a CA cert's SIA extension refer to the same directory: the former names the directory, the latter names the manifest describing the directory.
yep - that agrees with my understanding now!
b) EE certificates can use their SIA to point directly to the location of the signed object and if the one-off use concept is adhered to no manifest is necessaryYes, that is one plausible way to use an id-ad-signedObjectRepository SIA component.
yep
c) the ee cert that is issued for the key pair whose private key signed the manifest need not be published in an SIA - it exists in the CMS digital signature of the manifest.Yes, for the uses covered in (a) and (b). There was other discussion (including an alternative way of handling id-ad-signedObjectRepository SIA components), but the above does cover the main points for the cases we're most likely to care about.
thanks Rob Geoff
