Re: PKITS Question

Subject: Re: PKITS Question
From: "David A. Cooper" <david.cooper@nist.gov>
Date: Mon, 13 Jun 2005 17:46:24 -0400
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
In-Reply-To: <E2339D02A340A546998AD2E6251332D601114419@csexchange1.corestreet.com>
References: <E2339D02A340A546998AD2E6251332D601114419@csexchange1.corestreet.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040804

Seth,

Perhaps I should have included more information in the description of 
this test.  I added tests 4.3.7 - 4.3.11 to the test suite at the 
request of Steve Hanna (see 
http://cio.nist.gov/esd/emaildir/lists/pkits/msg00003.html).

In my view, the certification path in test 4.3.11 is valid, but an RFC 
3280 compliant implementation may reject the path.  Note that the final 
paragraph of section 4.1.2.4 of RFC 3280 says:

   Note that the comparison rules defined in the X.500 series of
   specifications indicate that the character sets used to encode data
   in distinguished names are irrelevant.  The characters themselves are
   compared without regard to encoding.  Implementations of this profile
   are permitted to use the comparison algorithm defined in the X.500
   series.  Such an implementation will recognize a superset of name
   matches recognized by the algorithm specified above.

So, I would say that the path is valid, but that RFC 3280 allows, but 
does not require, the ability to process this path.  But, this is true 
for many of the tests that include features whose support is not 
mandated by RFC 3280 (e.g., delta-CRLs, indirect CRLs, distribution points).

In the NIST Recommendation for X.509 Path Validation, the appendix 
states that this test does not need to be run.  The program that 
generates testing tables based on the NIST Recommendation outputs the 
following for the expected result for this test:  "The certification 
path is valid. However, a PVM that implements the minimum name 
comparison rules in RFC 3280 will reject the certification path since it 
will not recognize that names chain correctly."

Dave

Seth Hitchings wrote:

>Hi all,
>
>I'm running PKITS 4.3.11, "Valid UTF8String Case Insensitive Match Test11", and I'm
>wondering why the test expects path validation software to ignore case and whitespace in
>UTF8String encoded names.
>
>Section 4.1.2.4 of RFC 3280 seems to contradict this expectation:
>
>   Conforming implementations are REQUIRED to implement the following
>   name comparison rules:
>
>      (a)  attribute values encoded in different types (e.g.,
>      PrintableString and BMPString) MAY be assumed to represent
>      different strings;
>
>      (b) attribute values in types other than PrintableString are case
>      sensitive (this permits matching of attribute values as binary
>      objects);
>
>      (c)  attribute values in PrintableString are not case sensitive
>      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
>
>      (d)  attribute values in PrintableString are compared after
>      removing leading and trailing white space and converting internal
>      substrings of one or more consecutive white space characters to a
>      single space.
>
>Since (b) above explicitly requires that UTF8Strings be compared in a case-sensitive
>manner, I don't see how path validation software that conforms to RFC 3280 could pass test
>4.3.11.
>
>Thanks,
>
>Seth Hitchings
>CoreStreet, Ltd.
>  
>

References:
- PKITS Question
  - From: "Seth Hitchings" <shitchings@corestreet.com>

Prev by Date: PKITS Question
Next by Date: RE: PKITS Question
Prev by thread: PKITS Question
Next by thread: RE: PKITS Question

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov