[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

misc PKIX-1 comments

To: ietf-pkix@xxxxxxxxxx
Subject: misc PKIX-1 comments
From: dpkemp@xxxxxxxxxxxxxx (David P. Kemp)
Date: Tue, 9 Sep 1997 17:25:56 -0400

Here are a few observations on the (newly-reformatted -- thanks!)
draft-ietf-pkix-ipki-part1-05.txt:


* the definition of RelativeDistinguishedName in section 4.1.2.4 is
  still incorrect -- it uses AttributeValueAssertion instead of
  AttributeTypeAndValue.  Although the syntax of AVA and AT&V are the
  same, their meaning is different.

  From X.501 section 8.7.2: "An attribute value assertion (AVA) is a
  proposition ... concerning the presence in an entry of an attribute
  value of a particular type.", i.e. AVAs are used in matching rules
  to select entries from the Directory.

  From X.501 section 9.3: "An RDN ... consistes of a set of attribute 
  type and value pairs ...", and notes that "the attribute syntax and
  the assertion syntax of the equality matching rule are the same".

  Change the PKIX definition to be consistent with the X.501 definition:

     RelativeDistinguishedName ::= SET OF AttributeTypeAndValue

  (the correct definition appears in Appendices A and B, but section 4.1.2.4
  wasn't fixed.  The now-unneeded definitions of AVA can be removed from
  the appendices.)


* In Section 4.2, replace occurrences of "altSubjectName", "altIssuerName",
  and "the alternative subject name" with "subjectAltName", etc.  It's
  not an alternative subject, just an alternative name for the same
  subject :-).


* In Section 4.2.2.1, delete the text beginning with:
  "The authorityInfoAccess extension may be included in a PKCS 7
  encapsulation as an X.501 ATTRIBUTE.",
  as it is out of scope for the certificate profile.

  Descriptions of attributes to be included in PKCS 7 messages and
  details for forming filenames for HTTP certificate retrieval
  mechanisms have nothing to do with the X.509 certificate profile,
  which defines the contents of the certificate itself.  The description
  of specific message encapsulation formats and retrieval mechanisms
  belongs in Part 2.


* Section 5.1 contains duplicate definitions of Version, AlgorithmIdentifier,
  CertificateSerialNumber, Extensions, etc.  For example, the comment
  after Version says:

    "-- v3 does not apply to CRLs but appears for consistency with
     -- definition of Version for certs"

  There would not be an issue of consistency if there were not multiple
  definitions.  Additionally, how do ASN.1 compilers handle multiple
  definitions with the same name in a single module?  X.509 does not
  contain duplicate definitions, the CRL section just contains the
  macrofied definition of CertificateList.

  Delete the duplicate definitions from Section 5.1 and Appendix A.
  Appendix B is already correct.


* Replace all occurrences of "ChoiceOfTime" (used in Validity, thisUpdate,
  and nextUpdate) with "Time", to be consistent with the name used in X.509.


* The mail attachment headers ("X-Sun-xxx") and command lines should be
  stripped from the examples in Appendix D.

Prev by Date: RE: resolution
Next by Date: RE: PKCS 7/10 Security Issues
Previous by thread: Key Usage Extension Encoding
Next by thread: Question on Time Stamp Protocols
Index(es):
- Date
- Thread