Now let me ask the question I really intended to ask. Assuming that
we upgrade to v3, perhaps in six months or so after the ISO spec is
firmed up, and perhaps after we have had a chance to consider how best
to take advantage of it, will your _implementation_, and presumably
any other PEM/MIME implementation, be in a position to implement v3?
I don't see why not. Certificate management is not specific to PEM/MIME, but
is a general PEM issue. I can't speak for Jim's implementation, of course,
but I certainly expect us to support v3 in products that deal with
certificates. It's a clear improvement over the status quo, and I can't
imagine anyone doing certificate management and *not* wanting to support it.
I also approve of the move to v3 certs. While I do not do this sort of support
work myself in our products, it will be one of the requirements I will use to
evaluate implementations of the underlying certificate support I use, both in
our PEM work as well as in the context of X.500.
However, it would help a lot if support for the format would be required in
implementations, since I have to be able to interoperate with other people who
may not feel the same way about updating their products. And as I have pointed
out in a previous message, the view that RFC1422 mandates support for v3 certs
is not borne out by even the most cursory examination of the specification.
This is why I also approve of the production of a separate document that's
either an amendment to or update of RFC1422 that deals with the issue of what
formts must be supported.
In part, this is a question as to whether the interface between the
PEM/MIME layer and the 1422 layer is designed to pass the
additional extensions. I am particularly concerned about the
correct handling of the CRITICAL extensions.
Since PEM/MIME doesn't interpret the certificate, any other interested layers
get to look at whatever certificate is in the message. This is one of the
advantages of separating certification policy from representation. What
layers get which data seems to me to be strictly a matter of implementation.
Absolutely. This is how I can get away with not worrying about v3 cert
formats -- they are an underlying service I get from somewhere else, not
something I have to code into my mail system.
Divide and conquer wins as usual.
Ned