Re: [IETF-PKIX] OCSP: Method of Identifying Certificates

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Ambarish Malpani wrote:
 
> Hi All,
>     Would like to get closure on the method of identifying
> certificates. I think nobody has any objections to including the
> issuer's public key in the information that is used to identify the
> issuer. The main point of contention is whether to send the whole
> DN or the hash of the DN.
> 
> Tim, hopefully your issue with sending over the hash of the DN can
> be addressed by canonicalizing the issuer's DN before hashing it
> (are there any such canonicalization rules)?
> 
> So, here are the options:
> 
> 1. Hash(IssuerDN and IssuerPublicKey) and CertSerialNumber
> 2. Hash(IssuerDN), Hash(IssuerPublicKey) and CertSerialNumber
> 3. IssuerDN, Hash(IssuerPublicKey) and CertSerialNumber

>From the option that are proposed, option 3 is the only one that is
working for all environments. 

The argument is that neither Hash(IssuerDN) nor Hash(IssuerDN and
IssuerPublicKey) can be used to find which CA has issued a certificate
unless you get an hint by some other means.

In the option 3, we should allow either IssuerDN or alternate name to be
used, since I do not think it is appropriate to mandate DNs for CAs (no
argument has been given on the list up to now to explain why DNs would
work better that alternate names as long as the latter are unique).

Regards,

Denis

> What are the opinions of the group? I would like to have a quick
> flurry of opinions before we decide to go one way or the other.
> 
> Regards,
> Ambarish

-- 
      Denis Pinkas     Bull S.A.          mailto:Denis.Pinkas@bull.net
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21