- From: Sean Mullan <Sean.Mullan@Sun.COM>
- Date: Mon, 30 Jul 2007 17:34:48 -0400
- To: Ed Simon <edsimon@xmlsec.com>
- Cc: public-xmlsec-maintwg@w3.org
Ed Simon wrote:
> With regard to Action-69 ("Ed Simon to Draft warning similar to that of
> section 7.2 of RFC 2253"), I propose the following text (based on RFC
> 4514 rather than RFC 2253):
>
>> >>
> The XML Signature specification describes distinguished name encoding
> rules designed to comply with RFC 4514 and be robust within XML
> processing. When a distinguished name is used to identify a key, and not
> just to provide a human-readable string, as in Section 4 of the XML
> Signature specification which describes the <X509Data> element, it is
> important that applications incorporate the directions given in Section
> 5.2 of RFC 4514.
>
> Section 5.2 of RFC 4514 warns that when reversibility of the
> distinguished name string representation back to its initial BER or DER
> form is required (as would commonly be the case in XML Signature
> validation), then attribute values which are not of type PrintableString
> "SHOULD use the hexadecimal form prefixed by the number sign ('#'
> U+0023) as described in the first paragraph of Section 2.4 (of RFC 4514)".
> <<<
>
> Comments?
I agree with Frederick that we agreed to put this in the best practices doc.
I would also suggest changing the text above to PrintableString or
UTF8String. RFC 3280 requires all certificates issued after December 31,
2003 MUST use UTF8String for DNs (except for a couple of special cases)
- see section 4.1.2.4.
Also, I would suggest also adding a warning that implementations should
use the OID form of attribute keywords if they are not one of the 9
standard short names listed in section 3 of RFC 4514. This can also
affect reversability.
--Sean
Received on Monday, 30 July 2007 21:37:37 UTC