W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > June 2007

Re: Additional issue on RFC 2253 usage in relation with XMLSig: On the capability of the RFC2253 "CN=Sam"encoding form for identifying a Certificate.

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Mon, 18 Jun 2007 22:18:38 +0200
Message-ID: <4676E89E.1010101@iaik.tugraz.at>
To: public-xmlsec-maintwg@w3.org
Dear all,

I do not think that XMLDSig is the right place to perform DNAME 
constraining, canonicalization or comparison.
Usually RFC 2253/4514 implementations will parse two string 
representations and rather use means as specified in RFC 4517 section 4 
to compare two values.

However I would agree giving input to the IETF as these specifications 
are located in their premises. Such input could essentially ask for a 
canonical string representation for DNAMEs.

That would be really nice and such a DNAME comparison could then be 
reduced to a simple string comparison. ;-)


Juan Carlos Cruellas wrote:
> Dear all,
> I understood in our last conference call that Frederick suggested to 
> summarize the issues related to the RFC 2253 stuff within XMLSig.
> In addition to the RFC 2253 encoding stuff that we have been 
> discussing in a separated thread, and which has been summarized by 
> Thomas, who has raised a proposal last week, I would like to remind an 
> issue that I raised in
> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Jun/0021.html 
> and that was commented by Ed in
> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Jun/0024.html 
> This issue deals with the fact that both RFC 2253 and RFC 4514 make it 
> clear that the String representation using short names and string 
> values for for representing DNs may put problems when trying to 
> identifying without ambiguity the corresponding certificate...
> Could we deal with this, once we have agreed on the encoding issue?
> Regards
> Juan Carlos.

Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520

Certificate chain (including the EuroPKI root certificate):

Received on Monday, 18 June 2007 20:18:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:58:42 UTC