[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CERT records

To: Edward Lewis <lewis@tislabs.com>
Subject: Re: CERT records
From: <jas@slipsten.extundo.com>
Date: Fri, 3 Nov 2000 18:23:20 +0100 (CET)
cc: DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
Delivery-date: Fri, 03 Nov 2000 09:42:00 -0800
Envelope-to: namedroppers-data@psg.com

On Fri, 3 Nov 2000, Edward Lewis wrote:

> Refering to RFC 2538, is it worth proposing a new "certificate type value"
> for a PKIX X509 CRL?
> 
> There is a value (1) for X509 PKIX certificates.  It could be argued that
> this value should be used for CRLs.

The certificate section of PKIX CERT records should start with a OID
length byte and then a X.500 OID specifying the content of the CERT
RR.  Among others, section 2.3 of rfc 2538 mention two OIDs that look
relevant:

    id-at-userCertificate
        = { joint-iso-ccitt(2) ds(5) at(4) 36 }
           == 0x 03 55 04 24

    id-at-certificateRevocationList
        = { joint-iso-ccitt(2) ds(5) at(4) 39 }
           == 0x 03 55 04 27

> The reason I am floating this is because of a decidedly non-protocol issue.
> In Java there are classes for X509Certificate and X509CRL.  Becuase of the
> language's inheritence model [1], the two cannot be treated as the other
> safely.  Ergo, when I get bits from DNS, I have to know ahead of time
> whether the bits are a Certificate or a CRL[2].  Knowing ahead of time
> could be made easy through a new certificate type value.

To my understanding it would be possible to use the OIDs for this.

Hope this helps.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: CERT records
Next by Date: Info about DNS relay
Prev by thread: CERT records
Next by thread: Re: CERT records
Index(es):
- Date
- Thread