It seems to me that an invitation to suggest "fixes" to X.509
should not be confused as an invitation to extend X.509 to include (your
favorite application feature here).
I seem to remember some text:
X.509, para 1.2
"It is not intended to establish this as a general framework for
authentication, it can be
of general use for applications which consider these techniques adequate."
I love this sentence. It addresses two areas which have plagued PEM
interpreters.
1) The technique is for authentication. It is not for authorization,
etc.
2) It is for Directory systems and is designed for that system's needs.
Anyone else who wishes to use this system and finds it adequate
for their needs is allowed to do so. I notice that they are not
invited to complain about it or suggest changes which make sense
for their application but not for Directory systems.
Of course para 1.2 might be considered a defect by some ... :-)
So, does anyone have any defects to X.509 which relate to authentication in the
Directory system ?
I would like to see addition of a nextIssue date to CRLs
Any place where there are optional constructed elements should be refined so
that only one possible encoding can occur.
I would like to see DEFAULT removed from certificate versions.
I would like to see the 1992 extensions to Certificate removed.
John Lowry