Re: Inclusion of the issuer and serial number in authenticated in forma

Russ,

I agree.  In fact, this was one of my comments to CERT-02:


"8) Sec 3.1, last para: This change is required because it is impossible for
a subject or issuer name to have the value of ASN.1 NULL. The subject DN in
a user's (i.e. end-entity) certificate MAY be an empty SEQUENCE.  Please
change:  

OLD: "All subject and issuer names MUST be non-NULL in S/MIME-compliant v3
X.509 Certificates, except that the subject DN in a user's (i.e. end-entity)
certificate MAY be NULL in which case the subjectAltName extension will
include the subject's identifier and MUST be marked as critical."  

NEW: "All subject and issuer names MUST be populated (i.e. not an empty
SEQUENCE) in S/MIME-compliant v3 X.509 Certificates, except that the subject
DN in a user's (i.e. end-entity) certificate MAY be an empty SEQUENCE in
which case the subjectAltName extension will include the subject's
identifier and MUST be marked as critical."

- John Pawling


At 01:07 PM 3/20/98 -0500, Russ Housley wrote:
> I thought that we decides to say that the names could not be empty.
> Several readers have confused the NULL with the ASN.1 type.
>
> Russ
>
>
> At 01:52 PM 3/19/98 -0500, John Pawling wrote:
> > Marc,
> >
> > The S/MIME Cert spec, Sec 3.1, last paragraph states: "All subject and
> > issuer names MUST be non-NULL in S/MIME-compliant v3 X.509 Certificates,
> > except that the subject DN in a user's (i.e. end-entity) certificate MAY be
> > NULL in which case the subjectAltName extension will include the subject's
> > identifier and MUST be marked as critical."
> >
> > Therefore, IssuerAltName is not required to identify an S/MIME-compliant
> > certificate because there will not be any "DN-less" CAs. 
> >
> > ================================
> > John Pawling   
> > jsp(_at_)jgvandyke(_dot_)com                             
> > J.G. Van Dyke & Associates, Inc.           
> > ================================
> >
> >
> > > I'm late to this thread and new to the list, so my apologies if the 
> > > following isn't germane or a new idea.
> > >
> > > I believe the PKCS#7 IssuerAndSerialNumber type is an inadequate
> certificate 
> > > identifier now that we have IssuerAlternativeName extensions.
> > >
> > > The type should be redefined to something like:
> > >
> > > IssuerAndSerialNumber ::= SEQUENCE {
> > >     issuerDN          Name,
> > >     issuerAltName     IssuerAltName OPTIONAL,  -- As defined in PKIX
> > >     serial            CertificateSerialNumber
> > > }
> > >
> > > This would make it acceptable for certificates from DN-less CAs.
> > >
> > >             Marc
> > >
> > > +------------------------------------------------------------------------+
> > > Marc Branchaud                                  \/
> > > Chief PKI Architect                             /\CERT INTERNATIONAL INC.
> > > marcnarc(_at_)xcert(_dot_)com        PKI References page:              
> > > www.xcert.com
> > > 604-640-6227          www.xcert.com/~marcnarc/PKI/