Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk...
-
Upload
imogen-russell -
Category
Documents
-
view
215 -
download
1
Transcript of Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk...
rfc3280bis-00
David Cooper, NISTTim Polk, NIST
Development Process
● October 2004: Tim Polk requested that people submit any issues that needed to be addressed in 3280bis
● January 2004: 3280bis design team met to review all submitted issues and agree on an initial resolution for each issue.
● February 2004: rfc3280bis-00 posted.● pending: posting of disposition of comments
Design Team
● Sharon Boeyen● David Cooper● Stephen Farrell● Warwick Ford
● Steve Hanna● Russ Housley● Tim Polk● Stefan Santesson
Encoding of names
● DN attributes of type DirectoryString may be encoded in either UTF8String or Printable String
● Expanded support for internationalized names– Internationalized Domain Names (IDN)– Internationalized Resource Identifiers (IRI)– Internationalized email addresses
Comparison of Names
● MUST be able to compare DN attributes using LDAP StringPrep profile
● MUST be able to compare IDNs, IRIs, and internationalized email addresses as specified in appropriate RFC
● For URIs and IRIs, MUST be able to perform scheme-based normalization for ldap, http, https, and ftp prior to comparison
Name Constraints● Implementation requirements clarified for apps
– MUST be able to process directoryName– SHOULD be able to process rfc822Name,
uniformResourceIdentifier, dNSName, and iPAddress● CAs MUST NOT impose constraints on
x400Address, ediPartyName, or registeredID● Syntax for URI name constraints extended:
uriconstraint = ["."] domainstring |
scheme ":" ["//"] hostconstraint [schemespecific]
hostconstraint = ["@"] ["."] domainstring [":" port]
Distribution Points
● SHOULD NOT use nameRelativeToIssuer or reasons
● cRLIssuer field MUST include DN from issuer field of CRL using identical encoding
● More information provided about format of URIs and format of data pointed to by URIs (ldap, http, and ftp).
AIA and SIA● More information provided about format of URIs
and format of data pointed to by URIs (ldap, http, and ftp)– For LDAP, URI MUST specify a distingishedName
and attribute(s) and MAY specify a host name– For HTTP and FTP, URI MUST point to a file
containing either a single DER encoded certificate (.cer) or a collection of certificates (“certs-only” CMS message, .p7c)
● Multiple entries in AIA or SIA may point to same information or different information.
Other changes
● PrivateKeyUsagePeriod extension moved from section 4 to a new appendix (D).
● Support for inhibitPolicyMapping field of policyConstraints is optional.
● PolicyMappings changed from MUST be non-critical to SHOULD be critical.
Internationalized Name Types
● Directory Names● Domain Names● Resource Identifiers● Email Addresses
Directory Names
● Strategy-– mandate transformation on comparison rather than storage (ISO
compatibility)
– Transform using ldap stringprep profile● Normalize, compress white space
● Side Effects– No impact on storage or encoding
– Supports migration to UTF8
– Establish uniform expectations for name constraints processing
Domain Names
● Strategy:– Convert Internationalized labels to ASCII Compatible Encoding
(ACE) labels as defined in RFC 3490
– Encode in dNSName field of SubjectAltName
● Side Effects– Comparison logic is unaffected; still comparing two ASCII
domain names
– Conforming implementations must implement RFC 3490 (IDNA), 3491 (Nameprep), and 3492 (Punycode)
Resource Identifiers
● Strategy:– Convert Internationalized resource Identifiers (IRIs) to
URIs as defined in RFC 3987– Encode in uniformResourceIdentifier field of
SubjectAltName– Comparisons use Scheme and/or Protocol-based rules
as defined in RFC 3987● High-end of 3987 Comparison Ladder
● Side Effects– Breaks current products
Email Addresses
● Strategy– Local part of email address is transformed to UTF8 but
interpreted literally (no normalization)– Host part is converted and compared as described for domain
names– Encoded in rfc822Name in SubjectAltName
● Side Effects– Need a new prefix for local part of email address– Comparison logic is unaffected; still comparing two ASCII
email addresses– No new code - reuse of domain name conversion and
comparison tools
The Way Forward
● Post disposition of comments● Review new functionality
– Name constraints for URIs– Internationalization of names
● Submit -01 draft to resolve comments on design team resolution of round 1 comments and new functionality in -00 draft – Obtain prefix for local part of email address?
● Last Call on -01 draft