[x500standard] Re: Inconsistency in X.509
- From: Santosh Chokhani <SChokhani@xxxxxxxxxxxx>
- To: "x500standard@xxxxxxxxxxxxx" <x500standard@xxxxxxxxxxxxx>, SG17-Q11 <t09sg17q11@xxxxxxxxxxxxx>
- Date: Tue, 12 Jul 2011 10:24:29 -0400
Hopefully, subject DN is absent only in EE certificate, obviating the need for
name chaining.
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Tuesday, July 12, 2011 10:13 AM
To: Directory list; SG17-Q11
Subject: [x500standard] Inconsistency in X.509
Hi Folks,
Note 2 of 8.3.2.1 (which should not be a note) states that the value of the
public-key certificate subject field may hold an empty DN under certain
conditions. The note of 8.3.2.2 states something similar for the issuer field.
Somewhere down in clause 7, a little before the CertificationPath data type,
the following statement may be found:
The issuer and subject fields of each certificate are used, in part, to
identify a valid path. For each pair of adjacent certificates in a valid
certification path, the value of the subject field in one certificate shall
match the value of the issuer field in the subsequent certificate. In addition,
the value of the issuer field in the first certificate shall match the DN of
the trust anchor. Only the names in these fields are used when checking
validity of a certification path. Names in certificate extensions are not used
for this purpose.
What is true?
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
Other related posts:
