Re: X.509 v3 support



   >As I have said before, RFC1422 needs to be either revised or amended if 
support
   >for v3 certs is going to be required in comformant implementations.

Steve's language states that it comes down to an implementors choice.

Complete implementations will, incomplete implementations wont.

Bob certainly doesnt understand that v2 and v3 certificates *are*
wholly permitted (at ISO/ITU ratification time) in PEM.

RFC 1422 permits v3 certificates, without change, once the ISO process
terminates.

There is no can of worms in multiple PCAs certifying a CA in 1422;
quite to the contrary, 1422 ensure a unique trust path, in this area,
is always calculable; removing the 1422 constraints from x.509 is sheer
lunacy, given the goals of Classic PEM of facilitating privacy enhancement.  I
personally expect complete and conformant implementations to exploit
the v3 authorityKeyIdentifier extension to aid the process of trust
chain verification, for example.

   3.3.1  Version Number

   The version number field is intended to facilitate orderly changes in
   certificate formats over time.  The initial version number for
   certificates used in PEM is the X.509 default which has a value of
   zero (0), indicating the 1988 version.  PEM implementations are
   encouraged to accept later versions as they are endorsed by
   CCITT/ISO.

   3.3.5  Issuer Name

   A certificate provides a representation of its issuer's identity, in
   the form of a Distinguished Name.  The issuer identification is used
   to select the appropriate issuer public component to employ in
   performing certificate validation.  (If an issuer (CA) is certified
   by multiple PCAs, then the issuer DN does not uniquely identify the
   public component used to sign the certificate.  In such circumstances
   it may be necessary to attempt certificate validation using multiple
   public components, from certificates held by the issuer under
   different PCAs.  If the 1992 version of a certificate is employed,
   the issuer may employ distinct issuer UIDs in the certificates it
   issues, to further facilitate selection of the right issuer public
   component.)

<Prev in Thread]	Current Thread	[Next in Thread>
Re: X.509 v3 support, (continued) Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Mark Wahl Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman Re: X.509 v3 support, warwick (w.s.) ford Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Peter Williams <= Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, warwick (w.s.) ford Re: X.509 v3 support (CRLs and critical extensions), Mark Wahl Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman

Previous by Date:	Re: Mandating certificates, Ned Freed
Next by Date:	Re: X.509 v3 support, Ned Freed
Previous by Thread:	Re: X.509 v3 support, Ned Freed
Next by Thread:	Re: X.509 v3 support, Ned Freed
Indexes:	[Date] [Thread] [Top] [All Lists]