More cert draft comments1997-10-30 09:42:34
1. Section 5.2 of the cert draft specifies that CAs must allow use of optional attributes:
>Certification authorities MUST support parsing of zero or one instance >of each of the following set of certification-request attributes on >incoming messages. Inclusion of the following attributes during the >creation and submission of a certification-request will most likely be >dictated by the policies associated with the certification service >which will certify the corresponding name and public key. However, the second sentence says that these attributes may be used, or not, according to the CA owner's CPS. I suggest changing this requirement from a MUST to a SHOULD as follows: >Certification authorities SHOULD support parsing of zero or one instance >of each of the following set of certification-request attributes on >incoming messages. Attributes which a particular implementation >does not support may generate a warning message to the requestor or may be >silently ignored. [...] 2. Para 5 of section 3.1 says "End-entity certificates MUST contain an Internet mail address as described in [RFC-822]." Para 2 of section 3.2 says "Sending agents SHOULD include the Internet mail address during DN creation." Para 7 of section 3.2 says that receiving agents MUST compare the From and cert addresses for a match. This seems inconsistent; if the end-entity cert must contain an Internet mail address, it has to come as part of the initial certificate request. I don't think you can't depend on the CA to correctly infer the address from the request it receives, so the address must be part of either the DN or the PKCS #10 request. I suggest changing para 2 of section 3.2 to "Sending agents MUST..." and adding the following text to section 5.2: >Certification requests MUST include a valid Internet mail address, either as part of the certificate (as >described in 3.2) or as part of the PKCS #10 attribute list. Certification authorities MUST check that the >address in the From header matches either of these addresses. CAs SHOULD allow the CA operator to configure >processing of messages whose addresses do not match. 3. Section 5.3 says CAs SHOULD use sha-1WithRSAEncryption. I suggest changing this to MUST, unless there's a good argument against it. Cheers, -Paul -- Paul Robichaux | paul(_at_)ljl(_dot_)com | LJL Enterprises, Inc. | <http://www.ljl.com> Author, _Jazz Up Your Web Site In A Weekend_ (ISBN 0761511377) _Windows NT Server 4 Administrator's Guide_ (ISBN 0761507515)
|
|