[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clarification on matching rules

To: "'David Boyce'" <D.Boyce@xxxxxxxxx>
Subject: Clarification on matching rules
From: "Miklos, Sue A." <samiklo@xxxxxxxxxxxxxx>
Date: Thu, 15 Oct 1998 08:36:30 -0400
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

Those of us who were at the ISO meeting back in 1995 are trying to
reconstruct all of the steps that led to the matching rule definitions.
In the interim, I forward this general recollection...

>> >Stefan Santesson writes:
>> >>CertificateAssertion ::= SEQUENCE {
>> >    ...
>> >>   policy                  [9] CertPolicySet           OPTIONAL,
>> >    ...
>> >
>> >>CertPolicySet ::= SEQUENCE (1..MAX) OF CertPolicyId
>> >
>> >Can anyone shed light on why this is called a 
>> >CertPolicy*Set* when it's>defined as a SEQUENCE OF ?
>> >
>> >The only thing I can think of is that the nature of the data is 'SET
>> >OF', with the name reflecting that nature, but that 'SEQUENCE OF' has
>> >been used in the definition of the type in order to avoid introducing
>> >DER-encoding hassles.
>
>If memory and gut feelings serve, that is the reason:  to avoid
>DER problems with encoding SET OF.  Semantically, it is a set;
>pragmatically it is a sequence, to make it work.
>
>> >>     j)  policy matches if all of the policy elements identified 
>> >>         in one of the presented values are contained in the set of 
>> >>         policyElementIds in any of the policyInformation values in 
>> >>         the certificate policies extension in the stored attribute 
>> >>         value;  there is no match if there is no certificate
>policies 
>> >>         extension in the stored attribute value;
>> >
>> >Is there mismatch between this description and the defined syntax for
>> >CertPolicySet here?  The presence of the phrase 'in one of the
>presented
>> >values' seems to indicate a different syntax to the one defined.
>> >
>> >It looks to me as if the author had in mind a definition of
>> >CertPolicySet along the lines of
>> >
>> >    CertPolicySet ::= SET (1..MAX) OF CertPolicyPresentedValues
>> >
>> >    CertPolicyPresentedValues ::= SET (1..MAX) OF CertPolicyId
>> >
>> >(SET OF being regarded as equivalent to SEQUENCE OF for the 
>> purposes of this discussion).
>> >
>> >If not, then surely CertPolicySet would comprise the entire 
>> 'presented value', making the phrase 'identified in one of the 
>> presented values' misleading.
>
>Yeah, this seems fuzzy to me, too.  Perhaps it (j) should read
>
>    j)  policy matches if all of the policy elements specified as 
>        presented values are contained in the set of 
>        policyElementIds in any of the policyInformation values in 
>        the certificate policies extension in the stored attribute 
>        value;  there is no match if there is no certificate policies 
>        extension in the stored attribute value;
>
>In other words:
>
>The assertion contains a single set;  the assertion matches
>the certificate if and only if all elements of that set are
>contained in the certificate.

Sandi
>
>

Prev by Date: RE: NEW Data type for certificate selection ?
Next by Date: RE: NEW Data type for certificate selection ?
Previous by thread: We Buy Anything!
Next by thread: certificate path services [ was RE: NEW Data type for certificate selection ? ]
Index(es):
- Date
- Thread