RE: PKITS Question

["Seth Hitchings" <shitchings@corestreet.com>]

David, 

Thanks for your quick reply. I understand how the final paragraph of RFC 3280 section
4.1.2.4 can be applied to test 4.3.10, "Valid Rollover from PrintableString to
UTF8String", in which different encoding types are used to specify the same string value.
However, regarding test 4.3.11, I'm still concerned that RFC 3280 states that the
conforming implementations are REQUIRED to compare attribute values in types other than
PrintableString in a case-sensitive manner. I don't see where the specification gives us
any flexibility here. Perhaps I'm failing to understand the general direction of section
4.2.1.4.

Thanks,
Seth

-----Original Message-----
From: pkits@nist.gov [mailto:pkits@nist.gov] On Behalf Of David A. Cooper
Sent: Monday, June 13, 2005 5:51 PM
To: Multiple recipients of list
Subject: Re: PKITS Question


Seth,

Perhaps I should have included more information in the description of this test.  I added
tests 4.3.7 - 4.3.11 to the test suite at the request of Steve Hanna (see
http://cio.nist.gov/esd/emaildir/lists/pkits/msg00003.html).

In my view, the certification path in test 4.3.11 is valid, but an RFC 3280 compliant
implementation may reject the path.  Note that the final paragraph of section 4.1.2.4 of
RFC 3280 says:

   Note that the comparison rules defined in the X.500 series of
   specifications indicate that the character sets used to encode data
   in distinguished names are irrelevant.  The characters themselves are
   compared without regard to encoding.  Implementations of this profile
   are permitted to use the comparison algorithm defined in the X.500
   series.  Such an implementation will recognize a superset of name
   matches recognized by the algorithm specified above.

So, I would say that the path is valid, but that RFC 3280 allows, but does not require,
the ability to process this path.  But, this is true for many of the tests that include
features whose support is not mandated by RFC 3280 (e.g., delta-CRLs, indirect CRLs,
distribution points).

In the NIST Recommendation for X.509 Path Validation, the appendix states that this test
does not need to be run.  The program that generates testing tables based on the NIST
Recommendation outputs the following for the expected result for this test:  "The
certification path is valid. However, a PVM that implements the minimum name comparison
rules in RFC 3280 will reject the certification path since it will not recognize that
names chain correctly."

Dave

Seth Hitchings wrote:

>Hi all,
>
>I'm running PKITS 4.3.11, "Valid UTF8String Case Insensitive Match 
>Test11", and I'm wondering why the test expects path validation 
>software to ignore case and whitespace in UTF8String encoded names.
>
>Section 4.1.2.4 of RFC 3280 seems to contradict this expectation:
>
>   Conforming implementations are REQUIRED to implement the following
>   name comparison rules:
>
>      (a)  attribute values encoded in different types (e.g.,
>      PrintableString and BMPString) MAY be assumed to represent
>      different strings;
>
>      (b) attribute values in types other than PrintableString are case
>      sensitive (this permits matching of attribute values as binary
>      objects);
>
>      (c)  attribute values in PrintableString are not case sensitive
>      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
>
>      (d)  attribute values in PrintableString are compared after
>      removing leading and trailing white space and converting internal
>      substrings of one or more consecutive white space characters to a
>      single space.
>
>Since (b) above explicitly requires that UTF8Strings be compared in a 
>case-sensitive manner, I don't see how path validation software that 
>conforms to RFC 3280 could pass test 4.3.11.
>
>Thanks,
>
>Seth Hitchings
>CoreStreet, Ltd.
>  
>

smime.p7s