[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKIX Cert and CRL profile bugs and queries

To: ietf-pkix@xxxxxxxxxx
Subject: PKIX Cert and CRL profile bugs and queries
From: Dean Povey <povey@xxxxxxxxxxxxxxx>
Date: Thu, 02 Oct 97 14:41:27 +1000

First a bug:
The OID for Diffie-Hellman parameters differs in the text of the document:

{ iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }

and the ASN.1 in the appendix:

{ iso(1) member-body(2) us(840) ansi-x942(10046) 1 }

Since this document is going to last call, I think someone needs to have a 
close read of the ASN.1 in the text and the appendicies to make sure they 
match (I'm not volunteering :-) ).

Next a query:
With regard to DN's, PKIX simply states that you should use X.501 standard 
attributes.  However, I'd like to see some recommendations/constraints in here 
ala Peter Gutmann's X.509 style guide, namely:

Implementations conforming to this profile should not generate Certificates 
and CRLs including DNs which use multivalued SETs of AVAs.  SETs are yucky to 
DER encode (you have to sort on tag value from memory), and I would expect 
that this would make life easier for developers.  Implementations may still 
accept other Certs and CRLs which do have multivalue AVA sets (DER decoding of 
SETs is much easier than encoding).

Also a recommendation that DNs include attributes from the set {common name, 
country, organization, organizational unit, state or province, street address, 
locality} would be useful. The profile should list the OIDs for these:

 ds             	ID   			::= {joint-iso-ccitt(2) 5}
 commonName 		OBJECT IDENTIFIER       ::= {ds 4 3}
 countryName 		OBJECT IDENTIFIER       ::= {ds 4 6}
 localityName 		OBJECT IDENTIFIER       ::= {ds 4 7}
 stateOrProvinceName 	OBJECT IDENTIFIER       ::= {ds 4 8}
 streetAddress 		OBJECT IDENTIFIER       ::= {ds 4 9}
 organizationName 	OBJECT IDENTIFIER       ::= {ds 4 10}
 organizationalUnitName OBJECT IDENTIFIER       ::= {ds 4 11}
  
This doesn't preclude the use of other attributes in the DN, just gives a 
recommended set which (among other things) are easy to convert to an RFC1779 
string representation.

Just my (rather belated) $0.02.



-- 
+----------------------------------------+-------------------------------+
| Dean Povey,                            |  Email: povey@dstc.edu.au     |
| Research Scientist, Security Unit,     |  Phone: +61 7 3864 2799       | 
| CRC for Distributed Systems Technology |  Fax:   +61 7 3864 1282       |
+----------------------------------------+-------------------------------+

Prev by Date: Re: Last Call & idea for OCSP
Next by Date: PKIX OIDs
Previous by thread: Re: Last Call & idea for OCSP
Next by thread: Re: PKIX Cert and CRL profile bugs and queries
Index(es):
- Date
- Thread