[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in RFC 2459

To: ietf-pkix@xxxxxxx
Subject: Bug in RFC 2459
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 24 Feb 1999 22:34:02 (NZDT)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

As was trying to process a newly-issued Verisign test cert I noticed that 
the software was rejecting the cert due to an invalid cert.policy extension.
After a bit of poking around I found that the string type for
userNotice.noticeRef.organization quietly changed between the final drafts
and the actual RFC, so that what used to be an IA5String has now become a
DisplayString, which is a mixture of everything but IA5String.  This means
that any cert issued under the drafts isn't compliant with the final RFC.
Note that this is a PKIX bug, not a Verisign bug (the fact that the 
extension falls into indefinite-length encodings at various points is a bug,
but I grumbled about that nearly a year ago).

There are three possible ways to fix this:

1. Define a new cert.policy extension OID for the DisplayString version (this
   is probably bad).
2. Move back to the IA5String.
3. Make the organization a CHOICE between a DisplayString and an IA5String
   and deprecate the IA5String.

(ObGrumble: You have to wonder why anyone even bothers adding half the 
 extensions in a cert for all the attention that gets paid to them - the 
 policy extension could probably have just about anything in there and noone 
 would even notice).

Peter.

Follow-Ups:
- Re: Bug in RFC 2459
  - From: Stephen Kent

Prev by Date: Re: Comments to Qualified Certificates draft
Next by Date: Re: A web of directories
Previous by thread: A web of directories
Next by thread: Re: Bug in RFC 2459
Index(es):
- Date
- Thread