Re: Question about Certificate Issuer CRL Entry Extension

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Steve,

> The Certificate Issuer CRL entry extension (described in
> section 5.3.4 of RFC 3280) is a GeneralNames structure
> that identifies the certificate issuer for the CRL entry
> to which it is attached (and also to all subsequent entries
> in that CRL until another Certificate Issuer CRL entry
> extension is encountered.

> RFC 3280 doesn't say so, but I believe that within a PKIX
> (Internet) environment (where each certificate must have a
> non-empty X.500 issuer name and issuer alternative names are
> generally ignored) this extension MUST always contain at
> least one X.500 name so that the relying party can match
> this name against the issuer name in the certificate, as
> described in section 6.3.3 item (j) of RFC 3280. And I think
> that text describing this requirement should be added to the
> successor to RFC 3280. Does everyone agree with this?

Matching a CRL Issuer name against a CA name is not always required, but 
having one name format would be nice. Would would be the exact phrasing ?

> I also wonder whether anyone can think of a reason why this
> CRL entry extension should ever contain anything other than
> a single X.500 name in a PKIX (Internet) environment. If not,
> then the requirement can (and should) be made even more strict,
> specifying that this extension MUST contain only a single X.500
> name. Please let me know if you have a reason why this would not
> be a good idea.

What about certificates issued after December 31, 2003 ?

RFC 3280 states:

   The UTF8String encoding [RFC 2279] is the preferred encoding,
   and all certificates issued after December 31, 2003 MUST use
   the UTF8String encoding of DirectoryString.

Isn't there a reason to have the same name encoded both using 
printableString and utf8String during some transition period ?

Denis

> Thanks,
>
> Steve