[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] way forward for 5280

From: Stephen Kent <kent at bbn.com>
To: Paul Hoffman <phoffman at imc.org>
Cc: pkix at ietf.org
Date: Fri, 20 Nov 2009 14:55:37 -0500
In-reply-to: <p06240819c72887397474 at [10.20.30.158]>
References: <p06240801c71ebcecac83 at [128.89.89.21]> <p06240806c727d3c6add6 at [10.20.30.158]> <p06240801c7286d6a38db at [128.89.89.228]> <p06240810c7287a2a64fa at [10.20.30.158]> <p0624080ec7287d45f045 at [128.89.89.228]> <p06240819c72887397474 at [10.20.30.158]>
List-id: PKIX Working Group <pkix.ietf.org>

At 9:07 AM -0800 11/17/09, Paul Hoffman wrote:

At 11:29 AM -0500 11/17/09, Stephen Kent wrote:
This is primarily a client issue, right?
Probably not. The relying party (the "client") needs to match nameswith what the identity that the CA (the "server"?) intended. So,it's an issue for both. I see nothing in RFC 5280 section 7 thatindicates that the material is only for relying parties: it says"conforming implementations" many places.

I was thinking that an RP needs to match subject and issuer names incerts during path validation, and sometimes with names in CRLs. Also,an RP may have to perform a match with some local access controlinfo, which might have come from an LDAP directory, hence the desireto use the LDAP string prep algorithm.

I think we agree that both CAs and RPs want to have names compared ona consistent basis, even though CAs are putting the names intostructures and RPs are generally consuming the names and doing thecomparisons.

>Section 7.1 established a MUST for comparison of IDNs, based onthe LDAP StringPrep profile. Clients need to perform comparisons,e.g., a CA Subject name to CA name in a CRL, etc.
This depends on your view of what the comparison is made to. I thinkit is made to the CA's naming rules.


I'm not so clear on this point. Could you elaborate?

> I reread David's comment as to why this would not be a problemsclient, due to CA adherence to uniform encoding of names, but youare right that we don't have an obvious way to address this apparentlack of conformance.
We have no way of measuring "CA adherence to uniform encoding ofnames", do we?


Fair point.

>Russ & Tim, how would you like PKIX to proceed? We could wait forcompliant implementations to appear (and we can try to encouragesuch), or we could downgrade the MUST to a SHOULD (but would theIESG be satisfied with this, given what I perceive as an overalldesire to push for UTF8 support?).
Another alternative is to scrap the rules altogether and go back toexact match, with a note proposing how to achieve interop (CAsshould normalize before issuing). I think this would achieve ourgoals of interoperability more than either of two given above.

True, but it also may not be seen to support the IETF (IESG/IAB)agenda of promoting use of UFT8 via our standards. That's why I askedTim and Russ for their views on this issue.


Steve

Follow-Ups:
- Re: [pkix] way forward for 5280
  - From: Paul Hoffman

References:
- [pkix] way forward for 5280
  - From: Stephen Kent
- Re: [pkix] way forward for 5280
  - From: Paul Hoffman
- Re: [pkix] way forward for 5280
  - From: Stephen Kent
- Re: [pkix] way forward for 5280
  - From: Paul Hoffman
- Re: [pkix] way forward for 5280
  - From: Stephen Kent
- Re: [pkix] way forward for 5280
  - From: Paul Hoffman

Prev by Date: Re: [pkix] way forward for 5280
Next by Date: Re: [pkix] way forward for 5280
Previous by thread: Re: [pkix] way forward for 5280
Next by thread: Re: [pkix] way forward for 5280
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.