section 12.4 - Trust Anchor Protection

ietf-rats-wg / architecture

RATS Architecture

Other

15 stars 10 forks source link

section 12.4 - Trust Anchor Protection #410

Closed mcr closed 2 years ago

mcr commented 2 years ago

Document says:

If certificates are used as trust anchors, Verifiers and Relying Parties are also responsible for 
validating the entire certificate path up to the trust anchor, which includes checking for certificate 
revocation. See Section 6 of [[RFC5280](https://ietf-rats-wg.github.io/architecture/draft-ietf-rats-
architecture.html#RFC5280)] for details.

Since RFC5280 is being invoked here, is there an expectation that certificates in RATS would confirm to this profile?

mcr commented 2 years ago

The situation is very much use case dependant. If one is going to rely upon certificates and paths and trust anchors, then a profile should say this. It might be wise to do that.

Whole document is non-normative.

mcr commented 2 years ago

Are there some other documents that we can cite that are more prescriptive? There are NIST documents that explain the issues, but are reluctant to be prescriptive.

mcr commented 2 years ago

If certificates are used as trust anchors, Verifiers and Relying Parties are also responsible for validating the entire certificate path up to the trust anchor, which may include checking for certificate revocation.