[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Wed, 31 Dec 1997 09:30:40 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

> From: Paul Hoffman / IMC <phoffman@IMC.ORG>
>
>   [snip]
>
> If the answer to the above is "only the combination", what do you do with a
> cert that has two AltNames, one that is set critical and one that isn't? If
> the answer to the above is "either is definitive", does that answer still
> hold true if the AltName is marked critical?

This case cannot arise: section 4.2 specifies that only one instance of
a particular extension may appear in a particular certificate.  The
single AltName extension may contain more than one name, including more
than one name in a particular namespace, but they all have the same
criticality status.

It's worth remembering that the criticality flag does *not* affect the
meaning of an extension; the flag's sole purpose is to cause
applications which do not understand the extension to reject the
certificate.  If an application does understand an extension, it makes
absolutely no difference whether the extension is marked critical or
not - the critical flag should not even be examined.  The recent
discussion of certificatePolicies stirred up some mud in this area -
it's probably a good idea to specify the purpose *and the non-purpose*
of the critical flag more explicitly in section 4.2.  Something like:

  "If an implementation recognizes the syntax of a particular extension,
   the value of the critical boolean in that extension SHALL be ignored."


As to the case of a subject DN and a subjectAltName, I don't know if
there is an answer to be found in part 1.  My guess would be that
the CA is vouching for the binding between each name in a certificate
and the remaining contents of the certificate.  It's probably a
distinction without a difference to ask whether the CA is vouching for
a binding between name A and name B - if both are bound to the same
public key, (in the same cert or in separate otherwise identical certs)
then they are implicitly equally valid, and it doesn't make much sense
to ask which name is "definitive".

The CPS would describe the CA's procedures and assurances for verifying
names, and those procedures would likely be different for different
namespaces.  It is up to the relying party to evaluate the assurance of
each name and the name's relevance to the application.

Follow-Ups:
- Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
  - From: Paul Hoffman / IMC

Prev by Date: Re: [IETF-PKIX] OCSP Change Request
Next by Date: [IETF-PKIX] Dave's Critical Proposal
Previous by thread: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
Next by thread: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
Index(es):
- Date
- Thread