RE: PKITS Question

[Tim Polk <tim.polk@nist.gov>]

Seth,

I went back and reviewed the text of 3280.  I understand the confusion, but 
David's interpretation is consistent with the WG's intent.  The text of 
3280 was meant to require implementation of a subset of the X.500 
comparison rules as the minimum baseline, but permit implementation of the 
complete comparison rules.  (There is never a security risk from 
implementing the complete set of comparison rules - you will just get less 
false negatives.)

So, item (b) was intended to establish the baseline.  Additional 
functionality was explicitly permitted by the text at the end of the 
section which David quoted earlier.

Sorry about the lack of clarity.  It certainly seemed straightforward when 
we wrote it!

Thanks,

Tim Polk

At 12:50 PM 6/14/2005 -0400, Seth Hitchings wrote:
>David,
>
>Thanks for your quick reply. I understand how the final paragraph of RFC 
>3280 section
>4.1.2.4 can be applied to test 4.3.10, "Valid Rollover from PrintableString to
>UTF8String", in which different encoding types are used to specify the 
>same string value.
>However, regarding test 4.3.11, I'm still concerned that RFC 3280 states 
>that the
>conforming implementations are REQUIRED to compare attribute values in 
>types other than
>PrintableString in a case-sensitive manner. I don't see where the 
>specification gives us
>any flexibility here. Perhaps I'm failing to understand the general 
>direction of section
>4.2.1.4.
>
>Thanks,
>Seth
>
>-----Original Message-----
>From: pkits@nist.gov [mailto:pkits@nist.gov] On Behalf Of David A. Cooper
>Sent: Monday, June 13, 2005 5:51 PM
>To: Multiple recipients of list
>Subject: Re: PKITS Question
>
>
>Seth,
>
>Perhaps I should have included more information in the description of this 
>test.  I added
>tests 4.3.7 - 4.3.11 to the test suite at the request of Steve Hanna (see
>http://cio.nist.gov/esd/emaildir/lists/pkits/msg00003.html).
>
>In my view, the certification path in test 4.3.11 is valid, but an RFC 
>3280 compliant
>implementation may reject the path.  Note that the final paragraph of 
>section 4.1.2.4 of
>RFC 3280 says:
>
>    Note that the comparison rules defined in the X.500 series of
>    specifications indicate that the character sets used to encode data
>    in distinguished names are irrelevant.  The characters themselves are
>    compared without regard to encoding.  Implementations of this profile
>    are permitted to use the comparison algorithm defined in the X.500
>    series.  Such an implementation will recognize a superset of name
>    matches recognized by the algorithm specified above.
>
>So, I would say that the path is valid, but that RFC 3280 allows, but does 
>not require,
>the ability to process this path.  But, this is true for many of the tests 
>that include
>features whose support is not mandated by RFC 3280 (e.g., delta-CRLs, 
>indirect CRLs,
>distribution points).
>
>In the NIST Recommendation for X.509 Path Validation, the appendix states 
>that this test
>does not need to be run.  The program that generates testing tables based 
>on the NIST
>Recommendation outputs the following for the expected result for this 
>test:  "The
>certification path is valid. However, a PVM that implements the minimum 
>name comparison
>rules in RFC 3280 will reject the certification path since it will not 
>recognize that
>names chain correctly."
>
>Dave
>
>Seth Hitchings wrote:
>
> >Hi all,
> >
> >I'm running PKITS 4.3.11, "Valid UTF8String Case Insensitive Match
> >Test11", and I'm wondering why the test expects path validation
> >software to ignore case and whitespace in UTF8String encoded names.
> >
> >Section 4.1.2.4 of RFC 3280 seems to contradict this expectation:
> >
> >   Conforming implementations are REQUIRED to implement the following
> >   name comparison rules:
> >
> >      (a)  attribute values encoded in different types (e.g.,
> >      PrintableString and BMPString) MAY be assumed to represent
> >      different strings;
> >
> >      (b) attribute values in types other than PrintableString are case
> >      sensitive (this permits matching of attribute values as binary
> >      objects);
> >
> >      (c)  attribute values in PrintableString are not case sensitive
> >      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
> >
> >      (d)  attribute values in PrintableString are compared after
> >      removing leading and trailing white space and converting internal
> >      substrings of one or more consecutive white space characters to a
> >      single space.
> >
> >Since (b) above explicitly requires that UTF8Strings be compared in a
> >case-sensitive manner, I don't see how path validation software that
> >conforms to RFC 3280 could pass test 4.3.11.
> >
> >Thanks,
> >
> >Seth Hitchings
> >CoreStreet, Ltd.
> >
> >
>
>