Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Jeff Jacoby <jjacoby@xxxxxxxxxxxxxxx> writes:

>Is it necessary to require an exact match for all attributes, particularly
>for such attributes as the email and name attributes?

In a word, yes.

>For example, I'm looking for the cert for Bill Williams, but I don't know if
>the common name is "Bill Williams" or "Will Williams" or "B. Williams", etc,
>so I might like to try a search on just "Williams"

How would you specify this?  You'd need some sort of general-purpose pattern-
matching mechanism and then a means of mapping it to every possible backend
that might be used to implement the lookup.  The draft specifies a universal
interface to (conceptually) a basic key-and-value lookup engine, which doesn't
extend to general pattern-matching.  If you need anything more than this (for
example searching on compound attributes and similar things) you should really
use LDAP.

>Secondly, the entry for email attribute indicates the value as:
>
>  "Subject email address contained in the certificate, typically as an
>   rfc882Name attribute
>
>Is it necessary the email attribute be from the certificate.  Is it a
>reasonable or likely situation that a certificate store might use the email
>address as an database index even though it's not actually in the
>certificate?

I'd never thought of it being done like that, but I can easily change the text
to accomodate it.  How about:

  Subject email address associated with the certificate.  This is typically
  stored in the certificate as an rfc882Name attribute.

Peter.