Re: Matching rule review comment on 3280bis
"David A. Cooper" <david.cooper@nist.gov> Wed, 26 September 2007 16:29 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaZlO-0003UF-8E for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 12:29:26 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IaZlC-0007NH-NQ for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 12:29:16 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QFJYQh043342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Sep 2007 08:19:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8QFJYYQ043341; Wed, 26 Sep 2007 08:19:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QFJUbL043320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 08:19:32 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pullyou.nist.gov [129.6.16.93]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id l8QFJKWt001088 for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 11:19:21 -0400
Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id l8QFIexg024871 for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 11:18:41 -0400 (EDT)
Message-ID: <46FA7863.1060608@nist.gov>
Date: Wed, 26 Sep 2007 11:18:59 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 2.0.0.4 (X11/20070620)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: Matching rule review comment on 3280bis
References: <A15AC0FBACD3464E95961F7C0BCD1FF006A22CA2C9@EA-EXMSG-C307.europe.corp.microsoft.com> <FA998122A677CF4390C1E291BFCF598908197048@EXCH.missi.ncsc.mil> <200709121816.l8CIGoFv022520@stingray.missi.ncsc.mil> <FA998122A677CF4390C1E291BFCF59890822C5DC@EXCH.missi.ncsc.mil> <200709131807.l8DI7maw037140@balder-227.proper.com>
In-Reply-To: <200709131807.l8DI7maw037140@balder-227.proper.com>
Content-Type: multipart/alternative; boundary="------------060203060707040805050306"
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8041eca2a724d631b098c15e9048ce9
All, Below is the text that I propose for section 7.1 of 3280bis. I have included the entire section below, for context, even though changes are proposed for only the second and third paragraphs. This proposal is essentially the text from David Kemp's email, but with the following changes: 1) The first sentence of the second paragraph states that LDAP StringPrep MUST be used as the basis for comparison of attributes encoded in PrintableString and UTF8String, rather than for any of the DirectoryString types, since the first paragraph states that conforming implementations are only required to support PrintableString and UTF8String. 2) In order to make the third paragraph consistent with the second paragraph, I added the phrase "using the caseIgnoreMatch matching rule", in order to clarify that the third paragraph does not apply when an attribute specifies a different matching rule. 3) In the second bullet in the third paragraph, "Removal" was changed to "Handling" in order to correct the title of section 2.6.1 of RFC 4518. In the text below, those portions of the text where changes are proposed have been underlined. If you have any comments on this proposed change, please submit them to the list by Wednesday, October 3. If there are no objections by that point, I will post a new draft with the modified text. Thanks, Dave ---------------------------------------------------------------------------------------- 7.1 Internationalized Names in Distinguished Names Representation of internationalized names in distinguished names is covered in sections 4.1.2.4, Issuer Name, and 4.1.2.6, Subject Name. Standard naming attributes, such as common name, employ the DirectoryString type, which supports internationalized names through a variety of language encodings. Conforming implementations MUST support UTF8String and PrintableString. RFC 3280 required only binary comparison of attribute values encoded in UTF8String, however, this specification requires a more comprehensive handling of comparison. Implementations may encounter certificates and CRLs with names encoded using TeletexString, BMPString, or UniversalString but support for these is OPTIONAL. Conforming implementations MUST use the LDAP StringPrep profile _(including insignificant space handling)_, as specified in [RFC 4518], as the basis for comparison of distinguished name attributes _encoded in either PrintableString or UTF8String_. _Conforming implementations MUST support name comparisons using caseIgnoreMatch. Support for attribute types that use other equality matching rules is optional_. Before comparing names _using the caseIgnoreMatch matching rule_, conforming implementations MUST perform the six step string preparation algorithm described in [RFC 4518] for each attribute of type DirectoryString, with the following clarifications: * In step 2, Map, the mapping shall include case folding as specified in appendix B.2 of [RFC 3454]. * In step 6, Insignificant Character Removal, perform white space compression as specified in section 2.6.1, Insignificant Space _Handling_ of [RFC 4518]. When performing the string preparation algorithm, attributes MUST be treated as stored values. Comparisons of domainComponent attributes MUST be performed as specified in section 7.3. Two naming attributes match if the attribute types are the same and the values of the attributes are an exact match after processing with the string preparation algorithm. Two relative distinguished names RDN1 and RDN2 match if they have the same number of naming attributes and for each naming attribute in RDN1 there is a matching naming attribute in RDN2. Two distinguished names DN1 and DN2 match if they have the same number of RDNs, for each RDN in DN1 there is a matching RDN in DN2, and the matching RDNs appear in the same order in both DNs. A distinguished name DN1 is within the subtree defined by the distinguished name DN2 if DN1 contains at least as many RDNs as DN2, and DN1 and DN2 are a match when trailing RDNs in DN1 are ignored.
- Matching rule review comment on 3280bis Stefan Santesson
- RE: Matching rule review comment on 3280bis Kemp, David P.
- Re: Matching rule review comment on 3280bis Russ Housley
- Re: Matching rule review comment on 3280bis Sam Hartman
- Re: Matching rule review comment on 3280bis Sam Hartman
- Re: Matching rule review comment on 3280bis Tim Polk
- Re: Matching rule review comment on 3280bis Kurt Zeilenga
- RE: Matching rule review comment on 3280bis Stefan Santesson
- RE: Matching rule review comment on 3280bis Kemp, David P.
- Re: Matching rule review comment on 3280bis Tim Polk
- RE: Matching rule review comment on 3280bis Kemp, David P.
- Re: Matching rule review comment on 3280bis Sam Hartman
- Re: Matching rule review comment on 3280bis Russ Housley
- Re: Matching rule review comment on 3280bis Russ Housley
- Re: Matching rule review comment on 3280bis Kurt Zeilenga
- Re: Matching rule review comment on 3280bis Kurt Zeilenga
- RE: Matching rule review comment on 3280bis Stefan Santesson
- Re: Matching rule review comment on 3280bis Sam Hartman
- RE: Matching rule review comment on 3280bis Stefan Santesson
- RE: Matching rule review comment on 3280bis Kemp, David P.
- Re: Matching rule review comment on 3280bis Kurt Zeilenga
- RE: Matching rule review comment on 3280bis Kemp, David P.
- RE: Matching rule review comment on 3280bis Kemp, David P.
- RE: Matching rule review comment on 3280bis Russ Housley
- RE: Matching rule review comment on 3280bis Kemp, David P.
- RE: Matching rule review comment on 3280bis Russ Housley
- Re: Matching rule review comment on 3280bis David A. Cooper