[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need help finding implementations of certain RFC 5280 features

To: "David A. Cooper" <david.cooper@xxxxxxxx>
Subject: Re: Need help finding implementations of certain RFC 5280 features
From: Nuno Ponte <nuno.ponte@xxxxxxxxxxxxx>
Date: Tue, 24 Mar 2009 11:56:26 +0000
Cc: pkix <ietf-pkix@xxxxxxx>
In-reply-to: <49B05856.8040206@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: MULTICERT - Serviços de Certificação Electrónica, S.A.
References: <49B05856.8040206@xxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.1b3pre) Gecko/20090223 Lightning/1.0pre Thunderbird/3.0b2

Em 05-03-2009 22:55, David A. Cooper escreveu:

All,
I have been asked to work on finding two independent implementationsof every feature in RFC 5280 in order to support the process ofadvancing RFC 5280 to Draft Standard. I have been fairly successfulso far, but there are a lot of features in RFC 5280 that need to becovered. So, this will likely be the first of many emails requestinghelp in finding implementations of certain features.
So, please let me know if you are aware of any certificates thatsatisfy either of the following requirements:
1) From Section 4.2.1.4 (Certificate Policies):

     An explicitText field includes the textual statement directly in
     the certificate.  The explicitText field is a string with a
     maximum size of 200 characters.  Conforming CAs SHOULD use the
     UTF8String encoding for explicitText, but MAY use IA5String.
     Conforming CAs MUST NOT encode explicitText as VisibleString or
     BMPString.  The explicitText string SHOULD NOT include any control
     characters (e.g., U+0000 to U+001F and U+007F to U+009F).  When
     the UTF8String encoding is used, all character sequences SHOULD be
     normalized according to Unicode normalization form C (NFC) [NFC].
I have found several certificates that include a userNotice policyqualifier with explicitText, but every one of them encodes theexplicitText as VisibleString.

I think this is due to the lack of support for UserNotices inUTF8String on older versions of Microsoft Internet Explorer (as far as Iremember, IE6 still had this problem).As an example, the EJBCA software (http://www.ejbca.org) has aconfiguration to choose whether the UserNotice is encoded in UTF8Stringor BMPString.

2) From Section 4.2.2.1 (Authority Information Access):

  HTTP server implementations accessed via the URI SHOULD specify the
  media type application/pkix-cert [RFC2585] in the content-type header
  field of the response for a single DER encoded certificate....
I have found several certificates that include an AIA extension withan id-ad-caIssuers access method with an HTTP URI that points to asingle certificate, but none of the HTTP servers specify the mediatype as application/pkix-cert. Most specify the media type asapplication/x-x509-ca-cert and a few specify the media type astext/plain.
Thanks in advance for any help you can give me locating certificates(and HTTP servers) that can be used to demonstrate the existence ofimplementations of these features.
Dave

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Need help finding implementations of certain RFC 5280 features
  - From: David A. Cooper

Prev by Date: draft minutes available
Previous by thread: Re: Need help finding implementations of certain RFC 5280 features
Next by thread: I-D Action:draft-ietf-pkix-sha2-dsa-ecdsa-06.txt
Index(es):
- Date
- Thread