Re: 2560bis

Mike,

Hoping that your mail reaches the list, else my reply, containing your
message below will.

On your essay:
I agre and I hope nothing in draft 05 lead you to think that you need to
use the same key to sign the response that was used to issue the cert.
However, for authorized responders, the key used to sign the cert
SHOULD/MUST be the same key that was used to sign the cert to the
authorized responder.
Atleast, this is the only option that clients need to support.

/Stefan 

On 12-07-31 6:42 PM, "Michael Myers" <mmyers <at> fastq.com> wrote:

>Vote:  I change my vote to option A.
>
>Notice:  I assume I'm writing to just the three of you since I still
>can't get a fix on why my posts to PKIX bounce.  I am at this very
>moment working with my ISP on the issue. But to the extent you are
>consolidating WG positions for a consensus on a path forward, there's
>mine.
>
>Essay:  The key that signs the response need not be the key that
>signed the cert.  That capability MUST be maintained to enable an
>effective distribution of authority.  I know well the original
>language is at times ambiguous, the reasons for which have likely been
>overcome by events.