Marc,
The S/MIME Cert spec, Sec 3.1, last paragraph states: "All subject and
issuer names MUST be non-NULL in S/MIME-compliant v3 X.509 Certificates,
except that the subject DN in a user's (i.e. end-entity) certificate MAY be
NULL in which case the subjectAltName extension will include the subject's
identifier and MUST be marked as critical."
Therefore, IssuerAltName is not required to identify an S/MIME-compliant
certificate because there will not be any "DN-less" CAs.
================================
John Pawling
jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc.
================================
I'm late to this thread and new to the list, so my apologies if the
following isn't germane or a new idea.
I believe the PKCS#7 IssuerAndSerialNumber type is an inadequate certificate
identifier now that we have IssuerAlternativeName extensions.
The type should be redefined to something like:
IssuerAndSerialNumber ::= SEQUENCE {
issuerDN Name,
issuerAltName IssuerAltName OPTIONAL, -- As defined in PKIX
serial CertificateSerialNumber
}
This would make it acceptable for certificates from DN-less CAs.
Marc
+------------------------------------------------------------------------+
Marc Branchaud \/
Chief PKI Architect /\CERT INTERNATIONAL INC.
marcnarc(_at_)xcert(_dot_)com PKI References page:
www.xcert.com
604-640-6227 www.xcert.com/~marcnarc/PKI/