Re: Last Call - Profile

[Russ Housley <housley@xxxxxxxxxx>]

Anne:

Thanks for your comments.  Let me repond to each.

>Objection 1: PKIX should not mandate use of X501 names for chaining.
>Not all PKI's store certificate information in an X500 directory.

I agree that X.500 Directory deployment will not be ubiqutious for many
years to come.  That is why I wrote the Internet-Draft dealing with the
distribuion of Certificates and CRLs using FTP and HTTP.

The use of X.501 names does not imply the existance of a Directory.  This
name format can be used without deploying a Directory.

S/MIME (and other protocols) as well as CRL entries identify certificates
by the combination of the issuer Distinguished Name and Serial Number.
This is the reaon that the population of the Issuer filed with a non-empty
name is important.


>Objection 2: If PKIX does mandate X501 names for chaining, then the
>RFC2247 "DC=" attribute should be added to the list of recommended
>name attributes to be used in section 4.1.2.4.

I have no objection to the inclusion of the "DC=" attribute as a name
component.


>Objection 3: If the intent is indeed to mandate use of X501 names for
>chaining, section 4.1.2.6 "Subject" is ambiguous with respect to this mandate
>and section 6.1 "Basic Path Validation" contradicts this mandate.  Locations
>and suggested changes follow.

Names can be used for path development.  However, the SubjectKeyIdentifier
and AuthorityKeyIdentifer extensions can also be used for path development.

Once the path is developed, the path validation includes the checking of
the parent subject name and the child issuer name at each link in the path.


Russ