- From: Juan Carlos Cruellas <cruellas@ac.upc.edu>
- Date: Tue, 19 Jun 2007 11:30:35 +0200
- To: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- CC: public-xmlsec-maintwg@w3.org
My view is that XMLSig recommends usage of RFC2253 for identifying certificates and that this may cause problems... My understanding is that the problem that RFC 2253 and 4514 point out is related with reversibility, i.e., that in certain occasions even if you have a certain string representing a RDN, there could be problems for going back at the original RDN and use this for locating the corresponding certificate making comparisons on the RDN itself (in fact sections 7.2 in RFC 2253 and 2.4 in 4514 make it clear). As they say, a simple 'CN=Sam' migth cause problems, as the CN attribute may be a printableString, a universalString, a uTF8String and other types... I would say that at least we could think of including within XMLSig some warning on these issues.... Juan Carlos. Konrad Lanz escribió: > Dear all, > > I do not think that XMLDSig is the right place to perform DNAME > constraining, canonicalization or comparison. > Usually RFC 2253/4514 implementations will parse two string > representations and rather use means as specified in RFC 4517 section > 4 to compare two values. > > However I would agree giving input to the IETF as these specifications > are located in their premises. Such input could essentially ask for a > canonical string representation for DNAMEs. > > That would be really nice and such a DNAME comparison could then be > reduced to a simple string comparison. ;-) > > Konrad > > Juan Carlos Cruellas wrote: >> >> Dear all, >> >> I understood in our last conference call that Frederick suggested to >> summarize the issues related to the RFC 2253 stuff within XMLSig. >> >> In addition to the RFC 2253 encoding stuff that we have been >> discussing in a separated thread, and which has been summarized by >> Thomas, who has raised a proposal last week, I would like to remind >> an issue that I raised in >> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Jun/0021.html >> >> >> and that was commented by Ed in >> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Jun/0024.html >> >> >> This issue deals with the fact that both RFC 2253 and RFC 4514 make >> it clear that the String representation using short names and string >> values for for representing DNs may put problems when trying to >> identifying without ambiguity the corresponding certificate... >> >> Could we deal with this, once we have agreed on the encoding issue? >> >> Regards >> >> Juan Carlos. >> > >
Received on Tuesday, 19 June 2007 09:30:49 UTC