[x500standard] SV: [Spam] [T17Q11] SV: Re: Inconsistency in X.509
- From: "Erik Andersen" <era@xxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>, "'SG17-Q11'" <t09sg17q11@xxxxxxxxxxxxx>
- Date: Thu, 14 Jul 2011 11:20:33 +0200
Based on received response, I have produced a defect report (see
http://www.x500standard.com/uploads/Ig/DR_366.pdf) for your kind
consideration and comment.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
<http://www.x500.eu/> http://www.x500.eu/
<http://www.x500standard.com/> http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
Fra: Erik Andersen [mailto:era@xxxxxxx]
Sendt: 12. juli 2011 16:36
Til: x500standard@xxxxxxxxxxxxx; 'SG17-Q11'
Emne: [Spam] [T17Q11] SV: [x500standard] Re: Inconsistency in X.509
I know that RFC 5280 specifies that the DN shall be non-empty for the issuer
field and shall be non-empty for both subject and issuer field for CA
certificate. The same is not the case for X.509 as for now.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
Fra: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Santosh Chokhani
Sendt: 12. juli 2011 16:24
Til: x500standard@xxxxxxxxxxxxx; SG17-Q11
Emne: [x500standard] Re: Inconsistency in X.509
Hopefully, subject DN is absent only in EE certificate, obviating the need
for name chaining.
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Tuesday, July 12, 2011 10:13 AM
To: Directory list; SG17-Q11
Subject: [x500standard] Inconsistency in X.509
Hi Folks,
Note 2 of 8.3.2.1 (which should not be a note) states that the value of the
public-key certificate subject field may hold an empty DN under certain
conditions. The note of 8.3.2.2 states something similar for the issuer
field.
Somewhere down in clause 7, a little before the CertificationPath data type,
the following statement may be found:
The issuer and subject fields of each certificate are used, in part, to
identify a valid path. For each pair of adjacent certificates in a valid
certification path, the value of the subject field in one certificate shall
match the value of the issuer field in the subsequent certificate. In
addition, the value of the issuer field in the first certificate shall match
the DN of the trust anchor. Only the names in these fields are used when
checking validity of a certification path. Names in certificate extensions
are not used for this purpose.
What is true?
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
Other related posts:
- » [x500standard] SV: [Spam] [T17Q11] SV: Re: Inconsistency in X.509 - Erik Andersen
