Re: CA Names


-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
 kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
 HbGVud29vZA==,31
MIC-Info: RSA-MD5,RSA,1lG3Eli4oSvk9CtSASEebt4/VcF8u4aCvbht9JgJEhu
 tDgfQDmG/Dpd8E4z/aGcHKopNYmVbKbHFb8cRvWiyh4dxPhKDQnwMMVli+ZkhoZI
 WuQXEsNB22ZDi2l3fJP9W

Paul,

     You may recall that 1422 specifies that the IPRA-maintained
database to detect DN conflicts calls for a canonical representation
of DNs in that database to avoid the concern you cited.  The specific
canonical form was described in a detailed message that is not part
of the RFC but was exchanged among those of us worrying about how
to  build and operate this database.  This form called for removal
of all whitespace and transformation into all lower case.

     I spoke with Mike Roe and he believes that a properly
functioning DSA would refuse to create an entry for an entity with the
same canonical DN as an existing entry, under the matching rules.
This alleviates my concerns about using these rules for matching in
local caches, IF we operate the IPRA database (which could be a
DSA) to catch potential DN conflicts, as specified in 1422.


Steve,

This is good news, although the deletion of *all* whitespace is
not exactly the right thing to do. The CaseIgnoreString matching
rules call for the deletion of leading and trailing whitespace,
and the conversion of interior whitespace to a single space.
The transformation to one case (either upper or lower) is correct.

In the absence of the IPRA database, a CA will need to properly compare
dnames to ensure uniqueness under the equivalence rules. Also,
during message processing a PEM implementation will be required
to properly retrieve/store certs from its local cache based upon
the originator/recipient-id fields. Since these fields should
probably not be assumed to be in canonical form, the implementation
will be required to canonicalize them.

                Paul


_________________________________
Paul Clark
Trusted Information Systems, Inc.
3060 Washington Road
Glenwood, MD 21738

E-Mail: paul(_at_)tis(_dot_)com
Phone:  301.854.6889
FAX:    301.854.5363
_________________________________
-----END PRIVACY-ENHANCED MESSAGE-----

<Prev in Thread]	Current Thread	[Next in Thread>
Re: CA Names, warwick (w.s.) ford Re: CA Names, Russ_Housley . McLean_CSD Re: CA Names, Wolfgang Schneider Re: CA Names (text format of names, really), Christian Huitema Re: CA Names, warwick (w.s.) ford Re: CA Names, Paul C. Clark Re: CA Names, Steve Kent Re: CA Names, Paul C. Clark <= Re: CA Names, Stephen D Crocker Re: CA Names, Steve Kent Re:CA Names, jueneman%wotan Re: CA Names, Stephen D Crocker Re: CA Names, Amanda Walker Re: Re: CA Names, jueneman%wotan Re: CA Names, Stephen D Crocker Re: CA Names, Mike Roe Re: CA Names, Jeff Kimmelman Re: CA Names, jueneman%wotan

Previous by Date:	Re: CA Names, John Lowry
Next by Date:	Re: CA Names, Stephen D Crocker
Previous by Thread:	Re: CA Names, Steve Kent
Next by Thread:	Re: CA Names, Stephen D Crocker
Indexes:	[Date] [Thread] [Top] [All Lists]