Re: [imi] Philosophical questions

[John Bradley <jbradley@mac.com>]

If a certificate doesn't chain to a valid root the Public Key is used to generate the Client Pseudonym rather than the values from the DN.

I have been asked by someone if case 3 should be used for expired and revoked certificates.  

I think the answer is no they still chain to a trusted root even though they may not be trusted themselves.

This is slightly counter intuitive, but is due to the fact that changing the PPID breaks the P-Card for that site.

If the user overrides a selector warning and indicates a policy override of some sort for the site than the PPID should remain the same and the card should continue to work at the site.

Some selectors who shall go unnamed may want to add some user dialog around this.  Though that is outside of the spec.

John B.

On 2-Apr-09, at 12:51 PM, Scott Cantor wrote:

John Bradley wrote on 2009-04-02:

I am guessing from your answer that you don't think the selector should

change it's Client Pseudonym/PPID  algorithm selection if a cert expires,

Or would you have that configurable in the selector in some way?

Allowing you to send a token but you not getting in because the generated

PPID/keys are different,  seems not entirely useful to me.

It seems to me that issues related to the certificate validity should govern
UI around the approval of token submission, but should stay out of the PPID
generation.

-- Scott



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

smime.p7s