[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Qualified Certificates draft - Country name

To: Stefan Santesson <stefan@xxxxxxxxxxx>
Subject: RE: Qualified Certificates draft - Country name
From: tgindin@xxxxxxxxxx
Date: Tue, 2 Mar 1999 19:34:33 -0500
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

     Does this consensus apply to issuer name as well as to subject name?
Certificate verifiers are expected to perform real-time retrieval of CRL's
with no information other than the issuer name when the
CRLDistributionPoint extension is not used.  Most of the discussion on this
thread seems equally applicable to issuer names and to subject names.
     While there is no absolute relation between subject attributes and
directory entries, a certificate is usually expected to be found in no
other directory entry than that whose name matches the subject.  While the
policy or CPS could provide information about the semantic usage of
country, it is not intended to point to the physical directory.

          Tom Gindin



Stefan Santesson <stefan@accurata.se> on 03/02/99 01:09:54 PM

To:   ietf-pkix@imc.org
cc:    (bcc: Tom Gindin/Watson/IBM)
Subject:  RE: Qualified Certificates draft - Country name


I interpret the ruff consensus to be that countryName should NOT be
mandatory.

I have seen many reasons presented on why it would be wise to use the
country name (I agree to many of them). What I try to figure out is if it
would be any problem for those using countryName if it also would be
allowed not to.

I can't find any such problems, espesially not when there is no absolute
relation between attributes in the subject field and the location of a
certificate in a directory. Further the policy/CPS may provide semantics
which otherwise would be unclear due to an absent countryName value.


If any one else can find real problems, I would like to know, otherwise I
suggest that we remove the mandatory requirement.

/Stefan


-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata Systemsäkerhet AB
Lotsgatan 27 D                  Tel. +46-40 152211
216 42  Malmö                   Fax. +46-40 150790
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Prev by Date: I-D ACTION:draft-ietf-pkix-dhpop-00.txt
Next by Date: RE: Mapping certificate to directories
Previous by thread: RE: Qualified Certificates draft - Country name
Next by thread: Re: Qualified Certificates draft - Country name
Index(es):
- Date
- Thread