IETF Logo Mail Archive

Re: Matching rule review comment on 3280bis

"David A. Cooper" <david.cooper@nist.gov> Wed, 26 September 2007 16:29 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaZlO-0003UF-8E for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 12:29:26 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IaZlC-0007NH-NQ for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 12:29:16 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QFJYQh043342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Sep 2007 08:19:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8QFJYYQ043341; Wed, 26 Sep 2007 08:19:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QFJUbL043320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 08:19:32 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pullyou.nist.gov [129.6.16.93]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id l8QFJKWt001088 for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 11:19:21 -0400
Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id l8QFIexg024871 for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 11:18:41 -0400 (EDT)
Message-ID: <46FA7863.1060608@nist.gov>
Date: Wed, 26 Sep 2007 11:18:59 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 2.0.0.4 (X11/20070620)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: Matching rule review comment on 3280bis
References: <A15AC0FBACD3464E95961F7C0BCD1FF006A22CA2C9@EA-EXMSG-C307.europe.corp.microsoft.com> <FA998122A677CF4390C1E291BFCF598908197048@EXCH.missi.ncsc.mil> <200709121816.l8CIGoFv022520@stingray.missi.ncsc.mil> <FA998122A677CF4390C1E291BFCF59890822C5DC@EXCH.missi.ncsc.mil> <200709131807.l8DI7maw037140@balder-227.proper.com>
In-Reply-To: <200709131807.l8DI7maw037140@balder-227.proper.com>
Content-Type: multipart/alternative; boundary="------------060203060707040805050306"
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8041eca2a724d631b098c15e9048ce9

All,

Below is the text that I propose for section 7.1 of 3280bis.  I have 
included the entire section below, for context, even though changes are 
proposed for only the second and third paragraphs.

This proposal is essentially the text from David Kemp's email, but with 
the following changes:

1) The first sentence of the second paragraph states that LDAP 
StringPrep MUST be used as the basis for comparison of attributes 
encoded in PrintableString and UTF8String, rather than for any of the 
DirectoryString types, since the first paragraph states that conforming 
implementations are only required to support PrintableString and UTF8String.

2) In order to make the third paragraph consistent with the second 
paragraph, I added the phrase "using the caseIgnoreMatch matching rule", 
in order to clarify that the third paragraph does not apply when an 
attribute specifies a different matching rule.

3) In the second bullet in the third paragraph, "Removal" was changed to 
"Handling" in order to correct the title of section 2.6.1 of RFC 4518.

In the text below, those portions of the text where changes are proposed 
have been underlined.

If you have any comments on this proposed change, please submit them to 
the list by Wednesday, October 3.  If there are no objections by that 
point, I will post a new draft with the modified text.

Thanks,

Dave

----------------------------------------------------------------------------------------
7.1  Internationalized Names in Distinguished Names

   Representation of internationalized names in distinguished names is
   covered in sections 4.1.2.4, Issuer Name, and 4.1.2.6, Subject Name.
   Standard naming attributes, such as common name, employ the
   DirectoryString type, which supports internationalized names through
   a variety of language encodings.  Conforming implementations MUST
   support UTF8String and PrintableString.  RFC 3280 required only
   binary comparison of attribute values encoded in UTF8String, however,
   this specification requires a more comprehensive handling of
   comparison.  Implementations may encounter certificates and CRLs with
   names encoded using TeletexString, BMPString, or UniversalString but
   support for these is OPTIONAL.

   Conforming implementations MUST use the LDAP StringPrep profile
   _(including insignificant space handling)_, as specified in [RFC 4518],
   as the basis for comparison of distinguished name attributes _encoded in
   either PrintableString or UTF8String_.  _Conforming implementations
   MUST support name comparisons using caseIgnoreMatch.  Support for
   attribute types that use other equality matching rules is optional_.

   Before comparing names _using the caseIgnoreMatch matching rule_,
   conforming implementations MUST perform the six step string
   preparation algorithm described in [RFC 4518] for each attribute of type
   DirectoryString, with the following clarifications:

      *  In step 2, Map, the mapping shall include case folding as
      specified in appendix B.2 of [RFC 3454].

      *  In step 6, Insignificant Character Removal, perform white space
      compression as specified in section 2.6.1, Insignificant Space
      _Handling_ of [RFC 4518].

   When performing the string preparation algorithm, attributes MUST be
   treated as stored values.

   Comparisons of domainComponent attributes MUST be performed as
   specified in section 7.3.

   Two naming attributes match if the attribute types are the same and
   the values of the attributes are an exact match after processing with
   the string preparation algorithm.  Two relative distinguished names
   RDN1 and RDN2 match if they have the same number of naming attributes
   and for each naming attribute in RDN1 there is a matching naming
   attribute in RDN2.  Two distinguished names DN1 and DN2 match if they
   have the same number of RDNs, for each RDN in DN1 there is a matching
   RDN in DN2, and the matching RDNs appear in the same order in both
   DNs.  A distinguished name DN1 is within the subtree defined by the
   distinguished name DN2 if DN1 contains at least as many RDNs as DN2,
   and DN1 and DN2 are a match when trailing RDNs in DN1 are ignored.

v2.23.0 | Report a Bug | By Email