Based on received response, I have produced a defect report (see http://www.x500standard.com/uploads/Ig/DR_366.pdf) for your kind consideration and comment. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik <http://www.x500.eu/> http://www.x500.eu/ <http://www.x500standard.com/> http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik Fra: Erik Andersen [mailto:era@xxxxxxx] Sendt: 12. juli 2011 16:36 Til: x500standard@xxxxxxxxxxxxx; 'SG17-Q11' Emne: [Spam] [T17Q11] SV: [x500standard] Re: Inconsistency in X.509 I know that RFC 5280 specifies that the DN shall be non-empty for the issuer field and shall be non-empty for both subject and issuer field for CA certificate. The same is not the case for X.509 as for now. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik Fra: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Santosh Chokhani Sendt: 12. juli 2011 16:24 Til: x500standard@xxxxxxxxxxxxx; SG17-Q11 Emne: [x500standard] Re: Inconsistency in X.509 Hopefully, subject DN is absent only in EE certificate, obviating the need for name chaining. From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen Sent: Tuesday, July 12, 2011 10:13 AM To: Directory list; SG17-Q11 Subject: [x500standard] Inconsistency in X.509 Hi Folks, Note 2 of 8.3.2.1 (which should not be a note) states that the value of the public-key certificate subject field may hold an empty DN under certain conditions. The note of 8.3.2.2 states something similar for the issuer field. Somewhere down in clause 7, a little before the CertificationPath data type, the following statement may be found: The issuer and subject fields of each certificate are used, in part, to identify a valid path. For each pair of adjacent certificates in a valid certification path, the value of the subject field in one certificate shall match the value of the issuer field in the subsequent certificate. In addition, the value of the issuer field in the first certificate shall match the DN of the trust anchor. Only the names in these fields are used when checking validity of a certification path. Names in certificate extensions are not used for this purpose. What is true? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik