ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Populating ID_DER_ASN1_DN

Re: [IPsec] Populating ID_DER_ASN1_DN

From: Tero Kivinen <kivinen_at_nospam>
Date: Fri Sep 18 2009 - 08:57:22 GMT
To: David Wierbowski <wierbows@us.ibm.com>


David Wierbowski writes:
> Thanks for the clarification. The text in 4301 makes sense. What I do not
> agree with is the text in 4945 that requires implementations MUST be able
> to perform matching based on a bitwise comparison of the entire DN in ID to
> its entry in the SPD. I can agree with saying that implementations MUST be
> able to perform matching of the entire DN in ID to its entry in the SPD.
> It's the "based on a bitwise comparison" that I do not agree with. It
> should be up to the implementation to decide if it wants to do a bitwise
> match or use normal x.500 DN matching rules.

I think one of the reasons the bitwise comparison is there, that some CA products have been known to issue certificates which are invalid by normal processing rules, for example they can use characters that are not allowed for PRINTABLE STRINGS (for example Latin1 characters for names). Depending on your matching engine it might be impossible to get those matching without bitwise comparison.

I agree that it being MUST is not needed, it could be MAY or SHOULD. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec