ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

More cert draft comments

1997-10-30 09:42:34
from [Paul Robichaux] [Permanent Link]
1. Section 5.2 of the cert draft specifies that CAs must allow use of optional attributes:

>Certification authorities MUST support parsing of zero or one instance
>of each of the following set of certification-request attributes on
>incoming messages. Inclusion of the following attributes during the
>creation and submission of a certification-request will most likely be
>dictated by the policies associated with the certification service
>which will certify the corresponding name and public key.

However, the second sentence says that these attributes may be used, or not, according to the CA owner's CPS. I suggest changing this requirement from a MUST to a SHOULD as follows:

>Certification authorities SHOULD support parsing of zero or one instance
>of each of the following set of certification-request attributes on
>incoming messages. Attributes which a particular implementation
>does not support may generate a warning message to the requestor or may be
>silently ignored. [...]

2. Para 5 of section 3.1 says "End-entity certificates MUST contain an Internet mail address as described in [RFC-822]." Para 2 of section 3.2 says "Sending agents SHOULD include the Internet mail address during DN creation." Para 7 of section 3.2 says that receiving agents MUST compare the From and cert addresses for a match.

This seems inconsistent; if the end-entity cert must contain an Internet mail address, it has to come as part of the initial certificate request. I don't think you can't depend on the CA to correctly infer the address from the request it receives, so the address must be part of either the DN or the PKCS #10 request.

I suggest changing para 2 of section 3.2 to "Sending agents MUST..." and adding the following text to section 5.2:

>Certification requests MUST include a valid Internet mail address, either as part of the certificate (as
>described in 3.2) or as part of the PKCS #10 attribute list. Certification authorities MUST check that the
>address in the From header matches either of these addresses. CAs SHOULD allow the CA operator to configure >processing of messages whose addresses do not match.

3. Section 5.3 says CAs SHOULD use sha-1WithRSAEncryption. I suggest changing this to MUST, unless there's a good argument against it.

Cheers,
-Paul



--
Paul Robichaux | paul(_at_)ljl(_dot_)com | LJL Enterprises, Inc. | <http://www.ljl.com>
Author, _Jazz Up Your Web Site In A Weekend_ (ISBN 0761511377)
_Windows NT Server 4 Administrator's Guide_ (ISBN 0761507515)


[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • More cert draft comments, Paul Robichaux <=
Previous by Date:  Object Identifiers: Confusion now hath made his masterpiece, Peter Gutmann
Next by Date:  Moving ahead with S/MIME 3, Paul Hoffman
Previous by Thread:  Object Identifiers: Confusion now hath made his masterpiece, Peter Gutmann
Next by Thread:  Moving ahead with S/MIME 3, Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]