Re: excludedSubtrees (was Re: draft-ietf-pkix-new-part1-08)

["Tom Gindin" <tgindin@xxxxxxxxxx>]

     As far as I can tell, the only excludedSubtree with DirectoryName
which is widely usable and doesn't run into the character code problems
discussed earlier is one which contains a countryName and no other
attributes.  Thus I would not change the last sentence of the paragraph
(it's good advice anyway) but would add a new sentence to it after the
first sentence as follows: "This is particularly hard to guarantee when one
or more of the attributes in the DN specification is encoded as a CHOICE,
such as DirectoryString." and change the beginning of the next sentence to
"If the encodings differ" from "If not".

          Tom Gindin

Steve Hanna <steve.hanna@xxxxxxx> on 08/23/2001 10:20:04 AM

To:   Tom Gindin <tgindin@xxxxxxxxxx>
cc:   Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject:  Re: excludedSubtrees (was Re: draft-ietf-pkix-new-part1-08)


Tom Gindin wrote:
> On a more constructive note, however, any attribute which can only
> be encoded in PrintableString or NumericString (or Object ID) can
> safely be used in excludedSubtrees.  The most useful of these is
> probably Country.

Right. So I can safely use excludedSubtrees with directoryNames as long
as the only attributes in the excluded DN are countryName, dnQualifier,
and serialNumber. But I suspect that most DNs that people would want to
exclude would contain organizationName and the like.

So I still think that using excludedSubtrees with directoryNames is
generally a bad idea. The Security Considerations section of
new-part1-08 basically says this, so I don't think any changes to the
draft are required.

-Steve