[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encoding an X.509 certificate

To: Russ Housley <housley@xxxxxxxxxxxx>, "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Subject: Re: encoding an X.509 certificate
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Sun, 9 Nov 2008 14:41:10 -0800
Cc: "pkix" <ietf-pkix@xxxxxxx>
In-reply-to: <200811092113.mA9LDZ7i020514@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <ea2af9bd0811050548v545182cew3827a95b007dc466@xxxxxxxxxxxxxx> <ea2af9bd0811060949t2462d9fdk93758a3e093502a1@xxxxxxxxxxxxxx> <> <ea2af9bd0811061125q362e20ccmedd1fd60d0c32bbb@xxxxxxxxxxxxxx> <49135547.70504@xxxxxxxxx> <ea2af9bd0811061338w774b66ccid4812394a8d6f962@xxxxxxxxxxxxxx> <4913FA27.7010806@xxxxxxxxx> <ea2af9bd0811081149v5fdd25bara97f6d10b53c6708@xxxxxxxxxxxxxx> <> <200811092113.mA9LDZ7i020514@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

At 4:13 PM -0500 11/9/08, Russ Housley wrote:
>Anders:
>
>>Couldn't somebody setup something like W3C's HTML validator but for X509 certificates?
>
>I do not know what the W3C HTML validator does, but I aware of the NIST PKI testing:
>
>http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html

The W3C Validator (<http://validator.w3.org/>) is an online mechanism for people to see whether a web page is valid HTML or XHTML. Some people like showing that their HTML is valid by checking it every time it changes and, if shown valid, put up a cute little logo on their web page.

The NIST PKIX test system is an offline system. I think Anders was hoping that, by putting up an online system, the problems mentioned in this thread might be reduced because CAs issuing certificates could check if they are valid. However, as Peter points out, there seems to be little interest on the part of the CA vendors to enforce the rules of X.509 and PKIX.

Creating a local validation tool inside a CA vendor's lab is trivial. The assumption that individual CA vendors don't know about their lack of conformance to the specs is dubious at best.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: encoding an X.509 certificate
  - From: Peter Gutmann
- Re: encoding an X.509 certificate
  - From: Anders Rundgren

References:
- encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Anders Rundgren
- Re: encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Ben Laurie
- Re: encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Ben Laurie
- Re: encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Anders Rundgren
- Re: encoding an X.509 certificate
  - From: Russ Housley

Prev by Date: Re: encoding an X.509 certificate
Next by Date: Re: encoding an X.509 certificate
Previous by thread: Re: encoding an X.509 certificate
Next by thread: Re: encoding an X.509 certificate
Index(es):
- Date
- Thread