I have a few problems with cert (draft-ietf-smime-cert). The document
refers to X.509 certificates instead of PKIX certificates.
I agree. CERT should reference PKIX Part 1.
The major issue I see is to mandate the use of ISO Distinguished Name.
This is currently mandated for the issuer names. For leaf names the
situation is is little more complex as it will be explained later.
PKCS#7 version 1.5 and CMS refer to certificates by isser DName and serial
number. Thus, S/MIME certificates must have an issuer DName. The backward
compatibility discussion with PKCS#7 v1.5 has been repeated many, many
times, so I will not repeat it again.
"Receiving agents MUST support chaining based on the distinguished name
fields. Other methods of building certificate chains may be supported
but are not currently recommended."
Since the DNames are needed for PKCS#7 v1.5 and CMS, this seems like a
reasonable next step. Note that end entities do not have to have DNames.
They can use the more widely accepted RFC822 AltNames, or other names
formats. The issuer name in the end entity certificate must be a DName,
this will match the subject DName in the CA certificate. Chaining does not
invlove the end entity name.
"Attribute certificates -- keep 'em or pitch 'em?"
The ISO document is not yet stable. I would prefer that we do not
include them for the time being but that we indicate that the support of
roles is to be considered.
I can support removing them from the CERT document, but I do not think that
we should eliminate them from the CMS document. Support for attribute
certificates should be completely optional.