OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

legalxml-enotary message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [Fwd: Re: encoding an X.509 certificate]

There is a heated discussion going on on another forum
related to IETF's Public Key Infrastructure X509 Working
Group.

Much of the discussion is around non-standard digital
certificates issued by Certification Authority vendors
and the lack of a single tool that ensures conformance.
This debate continues more than 10 years after PKI X509
standards have been available.

I just want to remind the TC that, knowing what we know,
we shouldn't let this happen to the eNotarization Markup
Language (ENML).  The ENML Conformance Tool I proposed,
and a requirement in the Specification that vendors MUST
show successful compliance to that Tool would go a long
way towards getting vendors to implement this correctly
and minimizing these kinds of debates long after the
standard is finalized.

Same argument holds for the standard icons proposal.

Arshad Noor
StrongAuth, Inc.

-------- Original Message --------
Subject: Re: encoding an X.509 certificate
Date: Sun, 9 Nov 2008 14:41:10 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Russ Housley <housley@vigilsec.com>,        "Anders Rundgren" 
<anders.rundgren@telia.com>
CC: pkix <ietf-pkix@imc.org>


At 4:13 PM -0500 11/9/08, Russ Housley wrote:
>Anders:
>
>>Couldn't somebody setup something like W3C's HTML validator but for X509 certificates?
>
>I do not know what the W3C HTML validator does, but I aware of the NIST PKI testing:
>
>http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html

The W3C Validator (<http://validator.w3.org/>) is an online mechanism 
for people to see whether a web page is valid HTML or XHTML. Some people 
like showing that their HTML is valid by checking it every time it 
changes and, if shown valid, put up a cute little logo on their web page.

The NIST PKIX test system is an offline system. I think Anders was 
hoping that, by putting up an online system, the problems mentioned in 
this thread might be reduced because CAs issuing certificates could 
check if they are valid. However, as Peter points out, there seems to be 
little interest on the part of the CA vendors to enforce the rules of 
X.509 and PKIX.

Creating a local validation tool inside a CA vendor's lab is trivial. 
The assumption that individual CA vendors don't know about their lack of 
conformance to the specs is dubious at best.

--Paul Hoffman, Director
--VPN Consortium

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]