[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Basic Cert-2-Directory mapping question

To: <jimsch@xxxxxxxxxx>
Subject: RE: Basic Cert-2-Directory mapping question
From: Russ Housley <housley@xxxxxxxxxx>
Date: Mon, 15 Jan 2001 14:20:41 -0500
Cc: "'Stephen Kent'" <kent@xxxxxxx>, <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

Jim:

There is an issue with S/MIME. It was ONE of the reasons that we require a non-empty issuer distinguished name in RFC 249. In RFC 2315 (and in RFC 2630 for backward compatibility), SignerInfo structure includes IssuerAndSerialNumber to specify the certificate that contains the public key needed to validate the signature. If an empty issuer name were permitted, this match would be impossible. Similarly, the RecipientInfo field in the EnvelopedData uses IssuerAndSerialNumber to specify the certificate of the intended recipient. Again, an empty issuer name would be counter productive.

Russ

At 02:31 PM 1/12/2001 -0800, Jim Schaad wrote:

This does not match my memory of what was going on at the time. My memory said that the Issuer DN was made required to simplify the chaining issues for building names. I do not remember this as being pushed from the S/MIME working group although several of us from the S/MIME working group probably gave comments on this issue.

jim

-----Original Message-----
From: Stephen Kent [mailto:kent@xxxxxxx]
Sent: Thursday, January 11, 2001 1:56 PM
To: Slone, Skip
Cc: ietf-pkix@xxxxxxx
Subject: RE: Basic Cert-2-Directory mapping question

Skip,

<?fontfamily><?param Arial><?color><?param 0000,0000,FFFF>I would just like to add that, in addition to X.521 and some LDAP specs, the ability to recognize civil naming attributes in the issuer and subject fields of an X.509v3 cert is mandated in RFC 2459 (ref section 4.1.2.4) and in son-of-2459.
<?/color><?/fontfamily>

<?fontfamily><?param Arial><?color><?param 0000,0000,FFFF>
<?/color><?/fontfamily>Ironically, the requirement for support for Issuer names (DNs) vs. allowing an Issuer alname in lieu of a DN, arose because the S/MIME WG was relying on the presence of an Issuer DN in their design, and I believe the motivation for it (Russ can confirm or correct this notion) was to facilitate directory lookup for certs in S/MIME!

<?paraindent><?param right,left><snip>
<?/paraindent>

Steve

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Stephen Kent
- RE: Basic Cert-2-Directory mapping question
  - From: Jim Schaad

Prev by Date: Re: DPD & DPV Basics
Next by Date: RE: DPD & DPV requirements - to nonce or not to nonce?
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread