rfc3280bis-00 david cooper, nist tim polk, nist. development process ● october 2004: tim polk...
TRANSCRIPT
![Page 1: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/1.jpg)
rfc3280bis-00
David Cooper, NISTTim Polk, NIST
![Page 2: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/2.jpg)
Development Process
● October 2004: Tim Polk requested that people submit any issues that needed to be addressed in 3280bis
● January 2004: 3280bis design team met to review all submitted issues and agree on an initial resolution for each issue.
● February 2004: rfc3280bis-00 posted.● pending: posting of disposition of comments
![Page 3: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/3.jpg)
Design Team
● Sharon Boeyen● David Cooper● Stephen Farrell● Warwick Ford
● Steve Hanna● Russ Housley● Tim Polk● Stefan Santesson
![Page 4: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/4.jpg)
Encoding of names
● DN attributes of type DirectoryString may be encoded in either UTF8String or Printable String
● Expanded support for internationalized names– Internationalized Domain Names (IDN)– Internationalized Resource Identifiers (IRI)– Internationalized email addresses
![Page 5: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/5.jpg)
Comparison of Names
● MUST be able to compare DN attributes using LDAP StringPrep profile
● MUST be able to compare IDNs, IRIs, and internationalized email addresses as specified in appropriate RFC
● For URIs and IRIs, MUST be able to perform scheme-based normalization for ldap, http, https, and ftp prior to comparison
![Page 6: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/6.jpg)
Name Constraints● Implementation requirements clarified for apps
– MUST be able to process directoryName– SHOULD be able to process rfc822Name,
uniformResourceIdentifier, dNSName, and iPAddress● CAs MUST NOT impose constraints on
x400Address, ediPartyName, or registeredID● Syntax for URI name constraints extended:
uriconstraint = ["."] domainstring |
scheme ":" ["//"] hostconstraint [schemespecific]
hostconstraint = ["@"] ["."] domainstring [":" port]
![Page 7: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/7.jpg)
Distribution Points
● SHOULD NOT use nameRelativeToIssuer or reasons
● cRLIssuer field MUST include DN from issuer field of CRL using identical encoding
● More information provided about format of URIs and format of data pointed to by URIs (ldap, http, and ftp).
![Page 8: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/8.jpg)
AIA and SIA● More information provided about format of URIs
and format of data pointed to by URIs (ldap, http, and ftp)– For LDAP, URI MUST specify a distingishedName
and attribute(s) and MAY specify a host name– For HTTP and FTP, URI MUST point to a file
containing either a single DER encoded certificate (.cer) or a collection of certificates (“certs-only” CMS message, .p7c)
● Multiple entries in AIA or SIA may point to same information or different information.
![Page 9: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/9.jpg)
Other changes
● PrivateKeyUsagePeriod extension moved from section 4 to a new appendix (D).
● Support for inhibitPolicyMapping field of policyConstraints is optional.
● PolicyMappings changed from MUST be non-critical to SHOULD be critical.
![Page 10: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/10.jpg)
Internationalized Name Types
● Directory Names● Domain Names● Resource Identifiers● Email Addresses
![Page 11: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/11.jpg)
Directory Names
● Strategy-– mandate transformation on comparison rather than storage (ISO
compatibility)
– Transform using ldap stringprep profile● Normalize, compress white space
● Side Effects– No impact on storage or encoding
– Supports migration to UTF8
– Establish uniform expectations for name constraints processing
![Page 12: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/12.jpg)
Domain Names
● Strategy:– Convert Internationalized labels to ASCII Compatible Encoding
(ACE) labels as defined in RFC 3490
– Encode in dNSName field of SubjectAltName
● Side Effects– Comparison logic is unaffected; still comparing two ASCII
domain names
– Conforming implementations must implement RFC 3490 (IDNA), 3491 (Nameprep), and 3492 (Punycode)
![Page 13: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/13.jpg)
Resource Identifiers
● Strategy:– Convert Internationalized resource Identifiers (IRIs) to
URIs as defined in RFC 3987– Encode in uniformResourceIdentifier field of
SubjectAltName– Comparisons use Scheme and/or Protocol-based rules
as defined in RFC 3987● High-end of 3987 Comparison Ladder
● Side Effects– Breaks current products
![Page 14: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/14.jpg)
Email Addresses
● Strategy– Local part of email address is transformed to UTF8 but
interpreted literally (no normalization)– Host part is converted and compared as described for domain
names– Encoded in rfc822Name in SubjectAltName
● Side Effects– Need a new prefix for local part of email address– Comparison logic is unaffected; still comparing two ASCII
email addresses– No new code - reuse of domain name conversion and
comparison tools
![Page 15: Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f555503460f94c79202/html5/thumbnails/15.jpg)
The Way Forward
● Post disposition of comments● Review new functionality
– Name constraints for URIs– Internationalization of names
● Submit -01 draft to resolve comments on design team resolution of round 1 comments and new functionality in -00 draft – Obtain prefix for local part of email address?
● Last Call on -01 draft