- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 26 Mar 2008 11:12:23 +0000
- To: public-wsc-wg@w3.org
Thomas Roessler wrote: > On 2008-03-21 07:51:53 -0400, Mary Ellen Zurko wrote: > >>> So, I'd suggest that the section on AA certificates asserts >>> this property as a condition of AA-ness, spells out the >>> sequence of attributes to use for deriving the human readable >>> name, and we then refer back to that for the identity signal >>> content. > >> Please draft some text for the discussion on Wed (I'd like to put >> this whole thing on the agenda then). Or did you do that already >> in your updates? > > The current text reads as follows: > > <p>It is expected that it will generally be the case that Issuer > and Subject information included in AACs is intended to be > displayed to users.</p> > > That's *very* soft. > > Instead, I'd propose to say this instead, also based on Yngve's > message as quoted in [1]: > > <p>To derive a human-readable name from an AAC, user agents > MUST use the first of the following fields that is human-readable:</p> > > <olist> > <item>the Subject's Common Name (CN) attribute;</item> > > Yngve, Stephen how does one properly deal with the use of CN to hold > a domain name? Is the type (IA5String) the right distinguisher here? No. IA5String could be used to encode "Example Inc." Can't recall whether that still in use with current certs or not (the specs do encourage CAs to use UTF8, but I'm not sure if they're complying). Essentially I don't think there's any general way to know you've a DNS name in a CN. However, in our context, we can compare against the authority part of the URL the UA just de-referenced. So I'd say that if the authority part of the URL and the CN part of the cert match (exactly, case insensitive, modulo wildcards in the CN value) then you've got a DNS name in the CN. Might need to tweak that to cater for HTTP re-directs and I dunno if use of CNAME DNS RR's could be a glitch or not. I think if we did that we may also be the first ones to write down DNS wildcard matching rules for CN, e.g. would we like www.*.com to be a match for loads of stuff, but that's (IIRC) different from RFC 2818 which deals with wildcard matching for dNSName alt names. > > <item>the Subject's Organizational Unit (OU) attribute, in > combination with its Location (L) attribute;</item> > <item>the Subject's Organization (O) attribute.</item> > </olist> Are there still certs around with "L=Internet" ? I guess they shouldn't crop up here, but just wanted to check. S. > > <p>All Augmented Assurance Certificates MUST include > information that lets this algorithm terminate successfully, > i.e., return human-readable information.</p> > > Then, in 6.1, change > > "the Subject field's Organization attribute, if present" > > to: > > "human-readable information about the certificate subject, > derived as specified in <specref ref="sec-evcert"/>." > > I'm tentatively making these changes to the editor's draft. > > 1. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0142.html > > Regards,
Received on Wednesday, 26 March 2008 11:13:14 UTC