Re: Last Call - Profile

[Paul Hoffman / IMC <phoffman@xxxxxxx>]

At 01:10 PM 7/3/98 -0700, Denis Pinkas wrote:
>B. DNs are now indicated as mandatory for issuer names 
>in this new draft.
>. . .
>The version 8 now mandates the use of non-empty DNs. No rational is
>provided for making the change. We have been working for years under the
>assumption that DNs will not be mandated. This was explicitly mentioned
>and agreed as a foundation when the group was created and then
>constantly during the seven previous drafts. It would be inappropriate
>to change it now.

This was discussed on the list and in LA, I believe. The basic problem is
that -07 allows an issuer to have more than one name: either a combination
of a DN plus one or more altNames, or a blank DN plus more than one
altName. Having more than one name makes chaining non-deterministic. What
does a validator do if one kind of name matches but another kind of name
has a mis-match? Or if one name matches but another kind of name there is
one present but one absent?

Because of this, Tim chose to require DN and to use that for chaining.
Another method that people might want is to say that the name can be either
in the DN or an altName, but there can only be one name (or one non-null
name). If there is more than one name, this draft doesn't say how to
validate that chain. I have heard off-list grumbling about this, and think
it needs to be settled soon.

--Paul Hoffman, Director
--Internet Mail Consortium