At 6:05 PM +0000 11/17/09, Dr Stephen Henson wrote: >Do we need uniform encoding of names or just consistent encoding? For example if >a CA has decided to encode a name in a certain way it sticks to that encoding >afterwards and never uses a different one. We need uniform encoding because relying parties will have more than one trust anchor. > > Another alternative is to scrap the rules altogether and go back to exact match, with a note proposing how to achieve interop (CAs should normalize before issuing). I think this would achieve our goals of interoperability more than either of two given above. > > > >We already have this: > > CAs MUST encode the distinguished name in the subject field of a CA > certificate identically to the distinguished name in the issuer field > in certificates issued by that CA. If CAs use different encodings, > implementations might fail to recognize name chains for paths that > include this certificate. As a consequence, valid paths could be > rejected. That only talks about encodings, not mappings. It is the mappings done through normalization that is the issue at hand. >but this only covers the special case of subject and issuer fields of CAs and >not CRLs, alternative names, name constraints etc. Yes, there is that too. :-)
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.