W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > July 2007

Re: Action-69: "Ed Simon to Draft warning similar to that of section 7.2 of RFC 2253"

From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Mon, 30 Jul 2007 17:34:48 -0400
To: Ed Simon <edsimon@xmlsec.com>
Cc: public-xmlsec-maintwg@w3.org
Message-id: <46AE5978.7070205@sun.com>

Ed Simon wrote:
> With regard to Action-69 ("Ed Simon to Draft warning similar to that of 
> section 7.2 of RFC 2253"), I propose the following text (based on RFC 
> 4514 rather than RFC 2253):
>> >>
> The XML Signature specification describes distinguished name encoding 
> rules designed to comply with RFC 4514 and be robust within XML 
> processing. When a distinguished name is used to identify a key, and not 
> just to provide a human-readable string, as in Section 4 of the XML 
> Signature specification which describes the <X509Data> element, it is 
> important that applications incorporate the directions given in Section 
> 5.2 of RFC 4514.
> Section 5.2 of RFC 4514 warns that when reversibility of the 
> distinguished name string representation back to its initial BER or DER 
> form is required (as would commonly be the case in XML Signature 
> validation), then attribute values which are not of type PrintableString 
> "SHOULD use the hexadecimal form prefixed by the number sign ('#' 
> U+0023) as described in the first paragraph of Section 2.4 (of RFC 4514)".
> <<<
> Comments?

I agree with Frederick that we agreed to put this in the best practices doc.

I would also suggest changing the text above to PrintableString or 
UTF8String. RFC 3280 requires all certificates issued after December 31, 
2003 MUST use UTF8String for DNs (except for a couple of special cases) 
- see section

Also, I would suggest also adding a warning that implementations should 
use the OID form of attribute keywords if they are not one of the 9 
standard short names listed in section 3 of RFC 4514. This can also 
affect reversability.

Received on Monday, 30 July 2007 21:37:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:42:40 UTC