[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Effect of adding an attribute to CSR

To: ietf-pkix@xxxxxxx
Subject: Re: Effect of adding an attribute to CSR
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Thu, 14 Oct 2004 15:04:28 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040818

Puneet kumar wrote:

We recently received a CSR from a new CA.We added the attribute "cn" to the dn of the CSR (as this is a requirement at our end) and then issued the cert. [...] 1.Does adding an attribute to the CSR make any difference towards the acceptability of the cert?

I don't believe any of the IETF standards tries to cover this point, and to say explicitly what is the right thing to do in such a situation. It can be considered a local decision. This said the CMC RFC 2797 does describe a case where the request subject DN is null, and where the CA will generate the correct DN.

Generally talking the format for CSR request enables to requester to include many elements, and the CA will have security reasons to filter them and keep only what it considers valid. CA definitively can not accept the elements in request directly, and have to either reject requests that don't conform or correct them.

They are many examples on the market of CA that will reformat the DN of request, or simply ignore it and use other source to generate the DN of the certificate. They are good reasons for a CA to normalise the DN in input in order to avoid problems, some request generating softwares don't put the DN component in the normal order, or use invalid string type. Also if the CA wants to conform fully to RFC3290, it should only emit certificate with UTF8String encoding since december 31, 2003. That's another case where a CA may consider the best solution is to reencode in UTF8String format all request before emitting the cert.

2.What options do we have at our end..I mean do we need to revoke the cert? Can we re-certify the cert? Actually I did'nt find the term re-certify in any standardd..certs are either revoked or get expired.Your Comments would be most welcome.

It seems to me the easiest solution is to revoke the cert, and ask the CA to submit you another request that conforms to your policy for CA's DN naming. When they send you a request that includes a CN, you will not have to modify it before emitting the cert and everything will work correctly.

3.Is their any setting changes that can be done in the Entrust CA softwrae to allow this cert with the changed distinguished name to be accepted?

That is a question to ask to that specific vendor.

References:
- Effect of adding an attribute to CSR
  - From: Puneet kumar

Prev by Date: Re: Effect of adding an attribute to CSR
Next by Date: RE: Signer certificate discovery for CRLs
Previous by thread: Re: Effect of adding an attribute to CSR
Next by thread: Re: Effect of adding an attribute to CSR
Index(es):
- Date
- Thread