[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about Certificate Issuer CRL Entry Extension

To: "'Denis Pinkas'" <Denis.Pinkas@xxxxxxxx>, "'Steve Hanna'" <steve.hanna@xxxxxxx>
Subject: RE: Question about Certificate Issuer CRL Entry Extension
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Tue, 15 Jul 2003 14:30:27 -0400
Cc: "'PKIX List'" <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Denis:

I think Steve Henna is talking about certificate issuer name in the CRL
entry extension and the need to match it to the issuer DN of the certificate
of interest. 

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Denis Pinkas
Sent: Tuesday, July 15, 2003 8:48 AM
To: Steve Hanna
Cc: PKIX List
Subject: Re: Question about Certificate Issuer CRL Entry Extension



Steve,

> The Certificate Issuer CRL entry extension (described in section 5.3.4 
> of RFC 3280) is a GeneralNames structure that identifies the 
> certificate issuer for the CRL entry to which it is attached (and also 
> to all subsequent entries in that CRL until another Certificate Issuer 
> CRL entry extension is encountered.

> RFC 3280 doesn't say so, but I believe that within a PKIX
> (Internet) environment (where each certificate must have a non-empty 
> X.500 issuer name and issuer alternative names are generally ignored) 
> this extension MUST always contain at least one X.500 name so that the 
> relying party can match this name against the issuer name in the 
> certificate, as described in section 6.3.3 item (j) of RFC 3280. And I 
> think that text describing this requirement should be added to the
> successor to RFC 3280. Does everyone agree with this?

Matching a CRL Issuer name against a CA name is not always required, but 
having one name format would be nice. Would would be the exact phrasing ?

> I also wonder whether anyone can think of a reason why this CRL entry 
> extension should ever contain anything other than a single X.500 name 
> in a PKIX (Internet) environment. If not, then the requirement can 
> (and should) be made even more strict, specifying that this extension 
> MUST contain only a single X.500 name. Please let me know if you have 
> a reason why this would not be a good idea.

What about certificates issued after December 31, 2003 ?

RFC 3280 states:

    The UTF8String encoding [RFC 2279] is the preferred encoding,
    and all certificates issued after December 31, 2003 MUST use
    the UTF8String encoding of DirectoryString.

Isn't there a reason to have the same name encoded both using 
printableString and utf8String during some transition period ?

Denis

> Thanks,
> 
> Steve

References:
- Re: Question about Certificate Issuer CRL Entry Extension
  - From: Denis Pinkas

Prev by Date: Re: Question about Certificate Issuer CRL Entry Extension
Next by Date: Proxy Certificates - WG Last Call Closed
Previous by thread: Re: Question about Certificate Issuer CRL Entry Extension
Next by thread: Re: Question about Certificate Issuer CRL Entry Extension
Index(es):
- Date
- Thread