RE: Recommendation on subject matching rules needed..

["Vainikainen Saku EINT" <Saku.Vainikainen@xxxxxxxx>]

> >It seems that all the software we have tested (eg. MSoft, Utimaco)
>
> Everyone, not just those two.

OK - this is more or less what I assumed :( Do you know if there is any
work being done on this subject in terms of a recommendation
paper/draft/something ?

I mean, this is like a person with a new passport being denied entrance
to some country, because on his/her previous visit his/her passport had
a different serial number.. (ok - a bit bad analogy, but anyways..)
 
> >The only problem is that the encryption key pair may have been 
> >recertified in between.
> 
> Therein lies the problem: Don't issue multiple certificates 
> for the same key.  If you "recover the archived encryption 
> keypair" why not recover the cert that goes with it?

Our cards (=certs) are valid for three years. If the card has been in
use for 2 years when we reissue it with recovered enc key, we need to
reissue the enc cert also - otherwise the recovered enc key cert could
be usable only for one year whereas the other certs would be usable for
three years.

Also - if we pile up all the previous enc certs to the card along with
the new cert, we run out of card space as well as introduce new problems
since the apps usually don't iterate though all the certs and end up
using the first cert available.

Saku.