[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt

To: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Subject: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
From: "Tom Gindin" <tgindin@xxxxxxxxxx>
Date: Mon, 23 Dec 2002 19:06:03 -0500
Cc: ietf-pkix@xxxxxxx, jjacoby@xxxxxxxxxxxxxxx
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Sensitivity:

      How about mentioning the other two normal ways of storing the email
address: "This is typically stored in the certificate either within the
subject DN as a value of one of the attributes rfc822mailbox or
emailAddress, or in the subjectAltName extension using the rfc822Name
choice of GeneralName".   I've personally never seen anyone use any other
way than those three.

            Tom Gindin

pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)@mail.imc.org on 12/20/2002
09:10:32 PM

Sent by:    owner-ietf-pkix@xxxxxxxxxxxx

To:    ietf-pkix@xxxxxxx, jjacoby@xxxxxxxxxxxxxxx
cc:
Subject:    Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt

Jeff Jacoby <jjacoby@xxxxxxxxxxxxxxx> writes:

>Is it necessary to require an exact match for all attributes, particularly
>for such attributes as the email and name attributes?

In a word, yes.

>For example, I'm looking for the cert for Bill Williams, but I don't know
if
>the common name is "Bill Williams" or "Will Williams" or "B. Williams",
etc,
>so I might like to try a search on just "Williams"

How would you specify this?  You'd need some sort of general-purpose
pattern-
matching mechanism and then a means of mapping it to every possible backend
that might be used to implement the lookup.  The draft specifies a
universal
interface to (conceptually) a basic key-and-value lookup engine, which
doesn't
extend to general pattern-matching.  If you need anything more than this
(for
example searching on compound attributes and similar things) you should
really
use LDAP.

>Secondly, the entry for email attribute indicates the value as:
>
>  "Subject email address contained in the certificate, typically as an
>   rfc882Name attribute
>
>Is it necessary the email attribute be from the certificate.  Is it a
>reasonable or likely situation that a certificate store might use the
email
>address as an database index even though it's not actually in the
>certificate?

I'd never thought of it being done like that, but I can easily change the
text
to accomodate it.  How about:

  Subject email address associated with the certificate.  This is typically
  stored in the certificate as an rfc882Name attribute.

Peter.

Prev by Date: RE: Attribute Cert Policies Rationale
Next by Date: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
Previous by thread: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
Next by thread: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
Index(es):
- Date
- Thread