Re: X.509 v3 support

   >As I have said before, RFC1422 needs to be either revised or amended if 
support
   >for v3 certs is going to be required in comformant implementations.

Steve's language states that it comes down to an implementors choice.

Complete implementations will, incomplete implementations wont.


These are your terms, and have no well understood meaning when it comes
time for users to evaluate products. The typical purchaser of these
services doesn't know what the differences between certificate formats
are and doesn't want to know. What they want is for the specifications to be
sufficiently complete that something that conforms to the letter of the
specifications is in fact up to any reasonable PEM-related task.

This has even more meaning from a vendor's perspective. Let's say that I
implement v3 certs in my product and start using them. A customer buys
my product and finds that my use of v3 certs does not interoperate properly
with some old product that doesn't support them. I look into this and
tell the customer that the other product doesn't have the necessary support
in it. The customer contacts the other vendor and tells them this. The
vendor responds by citing chapter and verse from RFC1422 about how no
support for v3 certs is required. This brings the customer back to me, and
I get to solve the problem for them somehow. This is how the real world
works on such things.

As such, it should be a task for this group to assess whether or not they wish
to impose additional requirements on certificate support, specifically that
support for later certificate formats be required.

The group could well decide that such a requirement is unnecessary. That's
fine too. But this is an issue that isn't going to go away.

Bob certainly doesnt understand that v2 and v3 certificates *are*
wholly permitted (at ISO/ITU ratification time) in PEM.


Actually, I think he does understand this. I know I do.

RFC 1422 permits v3 certificates, without change, once the ISO process
terminates.


Sure. But it doesn't require support for them. You may think this is
unnecessary, but whether or not this is true is something we need to decide.

                                Ned

<Prev in Thread]	Current Thread	[Next in Thread>
Re: X.509 v3 support, (continued) Re: X.509 v3 support, Mark Wahl Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman Re: X.509 v3 support, warwick (w.s.) ford Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, Ned Freed <= Re: X.509 v3 support, Peter Williams Re: X.509 v3 support, warwick (w.s.) ford Re: X.509 v3 support (CRLs and critical extensions), Mark Wahl Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed Re: X.509 v3 support, Jueneman Re: X.509 v3 support, Ned Freed

Previous by Date:	Re: which version of certificate (was: Key selectors), James M Galvin
Next by Date:	Re: X.509 v3 support, Peter Williams
Previous by Thread:	Re: X.509 v3 support, Peter Williams
Next by Thread:	Re: X.509 v3 support, Peter Williams
Indexes:	[Date] [Thread] [Top] [All Lists]