[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt

To: tgindin@xxxxxxxxxx
Subject: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thu, 02 Jan 2003 14:27:28 -0500
Cc: ietf-pkix@xxxxxxx, jjacoby@xxxxxxxxxxxxxxx, pgut001@xxxxxxxxxxxxxxxxx
In-reply-to: <OF66E712C7.EEBC0284-ON85256C99.0000111E@pok.ibm.com>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Tom:

RFC 3280 says that subjectAltName extension using the rfc822Name is the way that an email address SHOULD be included in a certificate. I would like to see the text reinforces this, but says that there are certificates that use other placements.

Russ

At 07:06 PM 12/23/2002 -0500, Tom Gindin wrote:

      How about mentioning the other two normal ways of storing the email
address: "This is typically stored in the certificate either within the
subject DN as a value of one of the attributes rfc822mailbox or
emailAddress, or in the subjectAltName extension using the rfc822Name
choice of GeneralName".   I've personally never seen anyone use any other
way than those three.

Tom Gindin


pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)@mail.imc.org on 12/20/2002
09:10:32 PM

Sent by: owner-ietf-pkix@xxxxxxxxxxxx


To:    ietf-pkix@xxxxxxx, jjacoby@xxxxxxxxxxxxxxx
cc:
Subject:    Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt

Jeff Jacoby <jjacoby@xxxxxxxxxxxxxxx> writes:

>Is it necessary to require an exact match for all attributes, particularly
>for such attributes as the email and name attributes?

In a word, yes.

>For example, I'm looking for the cert for Bill Williams, but I don't know
if
>the common name is "Bill Williams" or "Will Williams" or "B. Williams",
etc,
>so I might like to try a search on just "Williams"

How would you specify this?  You'd need some sort of general-purpose
pattern-
matching mechanism and then a means of mapping it to every possible backend
that might be used to implement the lookup.  The draft specifies a
universal
interface to (conceptually) a basic key-and-value lookup engine, which
doesn't
extend to general pattern-matching.  If you need anything more than this
(for
example searching on compound attributes and similar things) you should
really
use LDAP.

>Secondly, the entry for email attribute indicates the value as:
>
>  "Subject email address contained in the certificate, typically as an
>   rfc882Name attribute
>
>Is it necessary the email attribute be from the certificate.  Is it a
>reasonable or likely situation that a certificate store might use the
email
>address as an database index even though it's not actually in the
>certificate?

I'd never thought of it being done like that, but I can easily change the
text
to accomodate it.  How about:

  Subject email address associated with the certificate.  This is typically
  stored in the certificate as an rfc882Name attribute.

Peter.

Prev by Date: RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
Next by Date: RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
Previous by thread: RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
Next by thread: Re: I-D ACTION:draft-ietf-pkix-certstore-http-03.txt
Index(es):
- Date
- Thread