[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] way forward for 5280

From: "David A. Cooper" <david.cooper at nist.gov>
To: Stephen Kent <kent at bbn.com>
Cc: "pkix at ietf.org" <pkix at ietf.org>
Date: Fri, 20 Nov 2009 15:55:54 -0500
In-reply-to: <p06240806c72ca26f9ca8 at [192.168.1.3]>
References: <p06240801c71ebcecac83 at [128.89.89.21]> <p06240807c7287374a348 at [128.89.89.228]> <p06240806c72ca26f9ca8 at [192.168.1.3]>
List-id: PKIX Working Group <pkix.ietf.org>

Here is the text that is proposed for the explicitText field, which simply takes the text in RFC 5280 and swaps IA5String and VisibleString:

| An explicitText field includes the textual statement directly in | the certificate. The explicitText field is a string with a | maximum size of 200 characters. Conforming CAs SHOULD use the | UTF8String encoding for explicitText, but MAY use VisibleString. | Conforming CAs MUST NOT encode explicitText as IA5String or | BMPString. The explicitText string SHOULD NOT include any control | characters (e.g., U+0000 to U+001F and U+007F to U+009F). When | the UTF8String encoding is used, all character sequences SHOULD be | normalized according to Unicode normalization form C (NFC) [NFC].Note that this text only imposes requirements on issuers, so anything placing requirements on relying parties would be new.

However, if the intention is to add such a statement, here are two statements from RFC 5280 that would be closely related:

1) Section 4.1.2.6 (Subject):

(c) TeletexString, BMPString, and UniversalString are included for backward compatibility, and SHOULD NOT be used for certificates for new subjects. However, these types MAY be used in certificates where the name was previously established, including cases in which a new certificate is being issued to an existing subject or a certificate is being issued to a new subject where the attributes being encoded have been previously established in certificates issued to other subjects. Certificate users SHOULD be prepared to receive certificates with these types.

2) Section 7.1 (Internationalized Names in Distinguished Names):

Conforming implementations MUST support UTF8String and PrintableString. RFC 3280 required only binary comparison of attribute values encoded in UTF8String, however, this specification requires a more comprehensive handling of comparison. Implementations may encounter certificates and CRLs with names encoded using TeletexString, BMPString, or UniversalString, but support for these is OPTIONAL.

If there is a desire to specify requirements for relying parties with respect to explicitText, what is the proposed text?

Dave

Stephen Kent wrote:

At 11:33 AM -0500 11/17/09, Michael StJohns wrote:

I'd suggest that since this is a deprecation that it be MUST NOT 
create and SHOULD accept to deal with interop with existing systems. 
Just a thought.


Mike,

That is an interesting suggestion, i.e., to separate the requirements 
for CAs vs. RPs.

The status for BMPString was the same in my before and after illustration.

So I assume that you would suggest that we label IA5String as MUST 
NOT create and SHOULD accept, right?

Steve

_______________________________________________
pkix mailing list
pkix at ietf.org
https://www.ietf.org/mailman/listinfo/pkix

References:
- [pkix] way forward for 5280
  - From: Stephen Kent
- Re: [pkix] way forward for 5280
  - From: Stephen Kent
- Re: [pkix] way forward for 5280
  - From: Stephen Kent

Prev by Date: Re: [pkix] way forward for 5280
Next by Date: Re: [pkix] OCSP and Privacy Issues
Previous by thread: Re: [pkix] way forward for 5280
Next by thread: Re: [pkix] way forward for 5280
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.