[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: Re: encoding an X.509 certificate]
There is a heated discussion going on on another forum related to IETF's Public Key Infrastructure X509 Working Group. Much of the discussion is around non-standard digital certificates issued by Certification Authority vendors and the lack of a single tool that ensures conformance. This debate continues more than 10 years after PKI X509 standards have been available. I just want to remind the TC that, knowing what we know, we shouldn't let this happen to the eNotarization Markup Language (ENML). The ENML Conformance Tool I proposed, and a requirement in the Specification that vendors MUST show successful compliance to that Tool would go a long way towards getting vendors to implement this correctly and minimizing these kinds of debates long after the standard is finalized. Same argument holds for the standard icons proposal. Arshad Noor StrongAuth, Inc. -------- Original Message -------- Subject: Re: encoding an X.509 certificate Date: Sun, 9 Nov 2008 14:41:10 -0800 From: Paul Hoffman <paul.hoffman@vpnc.org> To: Russ Housley <housley@vigilsec.com>, "Anders Rundgren" <anders.rundgren@telia.com> CC: pkix <ietf-pkix@imc.org> At 4:13 PM -0500 11/9/08, Russ Housley wrote: >Anders: > >>Couldn't somebody setup something like W3C's HTML validator but for X509 certificates? > >I do not know what the W3C HTML validator does, but I aware of the NIST PKI testing: > >http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html The W3C Validator (<http://validator.w3.org/>) is an online mechanism for people to see whether a web page is valid HTML or XHTML. Some people like showing that their HTML is valid by checking it every time it changes and, if shown valid, put up a cute little logo on their web page. The NIST PKIX test system is an offline system. I think Anders was hoping that, by putting up an online system, the problems mentioned in this thread might be reduced because CAs issuing certificates could check if they are valid. However, as Peter points out, there seems to be little interest on the part of the CA vendors to enforce the rules of X.509 and PKIX. Creating a local validation tool inside a CA vendor's lab is trivial. The assumption that individual CA vendors don't know about their lack of conformance to the specs is dubious at best. --Paul Hoffman, Director --VPN Consortium
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]