Re: Returning single values from multivalued attributes

[dboreham@netscape.com (David Boreham)]

> "Miklos, Sue A." wrote:

> In an attempt to clarify my statement, I consider the entire
> certificate path processing (up to 3 levels in a hierarchy?) to
> include all the necessary elements of signature and hash
> validation/comparison as well as crl checking (which I believe to be
> the proper behavior). This entire process should occur whenever the
> 'retrieving protocol" conveys its "payload" to the crypto service
> provider module.
> 
> The CSP module is going to cycle through whatever it's given until it
> reaches some state of completion (no more certificates to check).
> 
> I would like the ability for the data repository to selectively return
> information through an application/protocol exchange that can request
> specific information, narrowing the processing time.  This "rejection
> of values" should, in my view, occur prior to handing the 'payload' to
> a CSP module.  That was all I was trying to convey.

I'm lost now. If the crypto needs to be done, and takes
much work, it'll take much work whether you do it on the server
or the client (clients are typically faster than servers these
days). If the crypto doesn't need to be done to pick the right
cert, then you don't need your 1 second thinking time.