In message <"swan.cl.cam.:276950:940203015240"@cl.cam.ac.uk>, Mike Roe writes:
I believe that PEM implementations do have to understand the matching rules,
for the following reason:
Suppose my certificate has:
Issuer c=GB;o=Cambridge University
Subject: c=GB;o=Cambridge University;ou=Computer Lab;cn=Michael Roe
and my CA's certificate has:
Issuer: c=GB;o=JNT Policy CA
Subject: c=GB;o=CAMBRIDGE UNIVERSITY
I can use these two certificates to form a valid certification path up
to the policy CA because the matching rules say that o (organisation)
is caseIgnoreString and hence "Cambridge University"="CAMBRIDGE UNIVERSITY".
However, the certification path checking routine much understand the
matching rules for the naming attributes in order to realise that this
is a valid path,.
Mike
Actually, the example you give is flawed. The CA's certificate only
permits it the use of o=CAMBRIDGE UNIVERSITY when certifying
certificates to subordinates. Hence, when it issued a certificate
with the Issuer field containing o=Cambridge University it did so as a
"non-CA" entity. I believe you are confusing the matching rules, to
be used when making a directory search, with the naming rules. Though
the two versions of the CA's name can be used when searching a
directory and MUST, according to the rules, yield the same results,
they may NOT be interchanged in X.509 certificates.
Jeff Kimmelman
BBN Network Security Department
------------------------------
| Phone: (617) 873-2679
| Internet: jkimmelman(_at_)bbn(_dot_)com
| US Mail: 150 CambridgePark Drive, Cambridge, Ma. 02140
------------------------------