[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-pkix-ac509prof-09.txt is coming...

To: ietf-pkix@xxxxxxx
Subject: draft-ietf-pkix-ac509prof-09.txt is coming...
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Fri, 08 Jun 2001 11:44:25 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Steve Farrell and I were just notified about an inconsistency with the AC Profile and the most recent X.509. We are posting an update to resolve the issue. This quick note summarizes the minor change and the reason for it.

Presently, we require that an AA be identified by a distinguished name. This is parallel the RFC 2459 requirement that a CA be identified by a distinguished name.

The AA is identified with the following ASN.1:

   AttCertIssuer ::= CHOICE {
     v1Form GeneralNames,
     v2Form [0] V2Form }

   V2Form ::= SEQUENCE {
     issuerName GeneralNames OPTIONAL,
     baseCertificateID [0] IssuerSerial OPTIONAL,
     objectDigestInfo [1] ObjectDigestInfo OPTIONAL }

Due to a backward compatibility issue, the v1Form no longer exists in X.509. So, to get what we want, we must require the use if issuerName in the v2Form. This all works out just fine except that it generates different bits on the wire! There is an additional zero-tagged SEQUENCE, and the associated length, before the GeneralNames.

Russ

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: Re: Online Certificate Revocation Protocol
Previous by thread: Online Certificate Revocation Protocol
Next by thread: I-D ACTION:draft-ietf-pkix-ac509prof-09.txt
Index(es):
- Date
- Thread