Embed Size (px)
Citation preview
3280bis
David Cooper
Changes Since Draft 02
● Section 1 (Introduction): Replaced text highlighting changes between RFC 2459 and 3280 with text highlighting changes between RFC 3280 and 3280bis.
● Sections 4.1.2.4 and 4.1.2.6 (issuer and subject): Added text about using TeletexString, BMPString, and UniversalString in names of new CAs and end entities that are joining an existing domain where those encodings are already in use Alignment with draft-ietf-pkix-cert-utf8-03.txt
Changes Since Draft 02
● Section 4.2.1.12 (Extended Key Usage): Clarified that an application that requires the presence of an EKU extension with a particular OID is not required to accept the presence of anyExtendedKeyUsage as a match.
● Section 6.2 (Using the Path Validation Algorithm): Removed paragraph about extending path validation algorithm to conform to PEM rules.
Changes Since Draft 02
● Added to Security Considerations text about risks involving different strings with similar visual
representations risk of circular dependencies when using an HTTPS
URI in cRLDistributionsPoints, authorityInfoAccess, or subjectInfoAccess extensions.
● Section 7 (Rules for Processing Internationalized Names): Clarified that strings are prepared as “stored” prior to comparison.
● Updated references section.
Open Issues
● Should 3280bis forbid conforming CAs from imposing name constraints on the x400Address, ediPartyName, and registeredID name forms?
● Include guidance on handling/avoiding circular dependencies in certificate status checking?
● Escape clause?
