rfc3280bis-00

David Cooper, NISTTim Polk, NIST

Development Process

● October 2004: Tim Polk requested that people submit any issues that needed to be addressed in 3280bis

● January 2004: 3280bis design team met to review all submitted issues and agree on an initial resolution for each issue.

● February 2004: rfc3280bis-00 posted.● pending: posting of disposition of comments

Design Team

● Sharon Boeyen● David Cooper● Stephen Farrell● Warwick Ford

● Steve Hanna● Russ Housley● Tim Polk● Stefan Santesson

Encoding of names

● DN attributes of type DirectoryString may be encoded in either UTF8String or Printable String

● Expanded support for internationalized names– Internationalized Domain Names (IDN)– Internationalized Resource Identifiers (IRI)– Internationalized email addresses

Comparison of Names

● MUST be able to compare DN attributes using LDAP StringPrep profile

● MUST be able to compare IDNs, IRIs, and internationalized email addresses as specified in appropriate RFC

● For URIs and IRIs, MUST be able to perform scheme-based normalization for ldap, http, https, and ftp prior to comparison

Name Constraints● Implementation requirements clarified for apps

– MUST be able to process directoryName– SHOULD be able to process rfc822Name,

uniformResourceIdentifier, dNSName, and iPAddress● CAs MUST NOT impose constraints on

x400Address, ediPartyName, or registeredID● Syntax for URI name constraints extended:

uriconstraint = ["."] domainstring |

scheme ":" ["//"] hostconstraint [schemespecific]

hostconstraint = ["@"] ["."] domainstring [":" port]

Distribution Points

● SHOULD NOT use nameRelativeToIssuer or reasons

● cRLIssuer field MUST include DN from issuer field of CRL using identical encoding

● More information provided about format of URIs and format of data pointed to by URIs (ldap, http, and ftp).

AIA and SIA● More information provided about format of URIs

and format of data pointed to by URIs (ldap, http, and ftp)– For LDAP, URI MUST specify a distingishedName

and attribute(s) and MAY specify a host name– For HTTP and FTP, URI MUST point to a file

containing either a single DER encoded certificate (.cer) or a collection of certificates (“certs-only” CMS message, .p7c)

● Multiple entries in AIA or SIA may point to same information or different information.

Other changes

● PrivateKeyUsagePeriod extension moved from section 4 to a new appendix (D).

● Support for inhibitPolicyMapping field of policyConstraints is optional.

● PolicyMappings changed from MUST be non-critical to SHOULD be critical.

Internationalized Name Types

● Directory Names● Domain Names● Resource Identifiers● Email Addresses

Directory Names

● Strategy-– mandate transformation on comparison rather than storage (ISO

compatibility)

– Transform using ldap stringprep profile● Normalize, compress white space

● Side Effects– No impact on storage or encoding

– Supports migration to UTF8

– Establish uniform expectations for name constraints processing

Domain Names

● Strategy:– Convert Internationalized labels to ASCII Compatible Encoding

(ACE) labels as defined in RFC 3490

– Encode in dNSName field of SubjectAltName

● Side Effects– Comparison logic is unaffected; still comparing two ASCII

domain names

– Conforming implementations must implement RFC 3490 (IDNA), 3491 (Nameprep), and 3492 (Punycode)

Resource Identifiers

● Strategy:– Convert Internationalized resource Identifiers (IRIs) to

URIs as defined in RFC 3987– Encode in uniformResourceIdentifier field of

SubjectAltName– Comparisons use Scheme and/or Protocol-based rules

as defined in RFC 3987● High-end of 3987 Comparison Ladder

● Side Effects– Breaks current products

Email Addresses

● Strategy– Local part of email address is transformed to UTF8 but

interpreted literally (no normalization)– Host part is converted and compared as described for domain

names– Encoded in rfc822Name in SubjectAltName

● Side Effects– Need a new prefix for local part of email address– Comparison logic is unaffected; still comparing two ASCII

email addresses– No new code - reuse of domain name conversion and

comparison tools

The Way Forward

● Post disposition of comments● Review new functionality

– Name constraints for URIs– Internationalization of names

● Submit -01 draft to resolve comments on design team resolution of round 1 comments and new functionality in -00 draft – Obtain prefix for local part of email address?

● Last Call on -01 draft