ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

More cert-01 Comments

1998-02-02 12:32:05
from [John Pawling] [Permanent Link] 
All,

I have the following comments to the 28 Jan 98 S/MIME v3 Certificate
Handling I-D:

1) General: Internet Mail Addresses in Certs: I agree with Elliots's and
Blake's previous comments that all text stating that S/MIME-compliant certs
"MUST include Internet mail addresses" must be changed to "MAY include
Internet mail addresses".

2) Sec 2.2, first para: Please change "MUST" to "MAY" in "End entity
certificates MUST include an Internet mail address" 

3) Sec 3.1, 5th para:  Please change "MUST" to "MAY" in "End-entity
certificates MUST contain an Internet mail address" 

4) Sec 3.1, 7th para" Please change "MUST" to "MAY" in"Receiving agents MUST
check" and "Receiving agents MUST provide".

5) Sec 3.1, last para: Please change:

OLD: "All subject and issuer names MUST be non-NULL in S/MIME-compliant v3
X.509 Certificates, except that the subject DN in a user's (i.e. end-entity)
certificate MAY be NULL in which case the subjectAltName extension will
include the subject's identifier and MUST be marked as critical."  

NEW: "All subject and issuer names MUST be populated in S/MIME-compliant v3
X.509 Certificates, except that the subject DN in a user's (i.e. end-entity)
certificate MAY be an empty SEQUENCE in which case the subjectAltName
extension will include the subject's identifier and MUST be marked as critical."

6) Sec 3.2, 2nd para: Please change "Sending agents MUST include the
Internet mail address during
Distinguished Name creation." to "Sending agents SHOULD NOT include the
Internet mail address during
Distinguished Name creation.  If an Internet mail address is requiired in an
end-entity's cert, then it SHOULD be included in the subjectAltName extension."

7) Sec 4.2, 1rst para:  Please add "as per [KEYM]" to "Certificate, CRL, and
chain validation MUST be performed..."

8) Sec 5: Please delete Sec 5 as described in my previous msg, subject:
"Redundant Cert Mgmt Protocols".

9) Sec A.7, Please delete this section because it is redundant to info
contained in PKIX X.509 Cert and CRL Profile.  Also, it includes an obsolete
definition of keyUsage.

10) Sec F, If you eliminate Sec A.7, then eliminate the following text:
"Section A.7 -- bit 7 is encipherOnly, bit 8 is decipherOnly.  Are we going
to use these?"


================================
John Pawling   
jsp(_at_)jgvandyke(_dot_)com                             
J.G. Van Dyke & Associates, Inc.           
================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • More cert-01 Comments, John Pawling <=
Previous by Date:  Re: Redundant Cert Mgmt Protocols, Paul Hoffman / IMC
Next by Date:  Re: Redundant Cert Mgmt Protocols, John Pawling
Previous by Thread:  New S/MIME OIDs, Paul Hoffman / IMC
Next by Thread:  RE: Question about signing attachments separately, Jonathan Penn
Indexes:  [Date] [Thread] [Top] [All Lists]