[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Required DN attributes (was: Re: Proposed Resolution of Comments (LONG!) )

To: ietf-pkix@xxxxxxx
Subject: Required DN attributes (was: Re: Proposed Resolution of Comments (LONG!) )
From: Marc Branchaud <marcnarc@xxxxxxxxx>
Date: Wed, 01 Jul 1998 11:09:29 -0700
In-reply-to: Your message of "Tue, 30 Jun 1998 18:54:26 MDT." <>
Sender: owner-ietf-pkix@xxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----

Content-Type: text/plain; charset=us-ascii

"Bob Jueneman" <BJUENEMAN@novell.com> scrawled:
> 
> [ ... ]
> 
> (3) I would strongly recommend we add the X.520 definition of streetAddress 
> to the list of RDN types that constitute the minimal schema for certificate 
> processing code, including directory/respositories.  Implementing it within 
> a CA should be optional, but recommended.
> 

I don't have any problem with requiring support for a particular attribute
(although I'd like to see the list kept reasonably short).  However, I think
it's important to emphasize that this support is at the _software_ level.
That is, PKIX should not mandate that certificates with DNs contain these
attributes.

By mandating DN attributes, PKIX locks in particular directory structures 
that are by no means "standard".  Even though some of these attributes might 
have some kind of defacto status, I think it's far too early to start 
limiting the possibilities.

If PKIX even appears to mandate DN attributes, I think it'll touch off 
problems even bigger than the UTF-8 issue.  It's one thing to say that 
PKIX-compliant software SHOULD (never MUST) support certain DN attributes, 
but it's another thing altogether to relegate to non-compliance(*) any 
certificate with a DN that doesn't contain an attribute from The List.

That said, I think section 4.1.2.4 should _not_ recommend that issuer names 
contain only the specified attributes.  Rather, the second sentence of the
paragraph that begins with "Standard sets of sttributes..." should be 
changed so that the paragraph reads

   Standard sets of attributes have been defined in the X.500 series of
   specifications.  Implementations of this specification should be
   prepared to process or create certificates with issuer names that
   contain the following attribute types: country, organization,
   organizational-unit, distinguished name qualifier, title, locality,
   state or province name, common name (e.g., "Susan Housley"), surname,
   given name, initials, and generationqualifier (e.g., "Jr." or "IV").
   The syntax and associated object identifiers (OIDs) for these attribute
   types are provided in the ASN.1 modules in Appendices A and B.

I don't mind if streetAddress is added to this list.

		Marc

(*) There's got to be a verb for "relegating to non-compliance".  
Discomplying?  Deconforming? ...


+------------------------------------------------------------------------+
 Marc Branchaud                                  \/
 Chief PKI Architect                             /\CERT INTERNATIONAL INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6227          www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNZp7WFrdFXNdDxPlAQFDxwL8C0riykMKKMI+8unJEEIRJEtN7dCjvd9t
rH1NyMMzZBbZ9mVlS+w0bRCCjpZ//f+baNDXfCdq9ZcKDIrd0SZZoDs7KJx/b81e
S4mwArIR8GzXze8BxCAhegZynFxa2XB0
=U5dk
-----END PGP SIGNATURE-----

References:
- Re: Proposed Resolution of Comments (LONG!)
  - From: Bob Jueneman

Prev by Date: BMPString, UTF-8, Unicode
Next by Date: Re: Proposed Resolution of Comments (LONG!)
Previous by thread: Re: Proposed Resolution of Comments (LONG!)
Next by thread: Re: Proposed Resolution of Comments (LONG!)
Index(es):
- Date
- Thread