RE: [security-services] Changes for Core 26

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

> 1) the rare-old-times:-)
> ------------------------
> 
> > b) Modify text in the following sections to state "The time 
> value MUST be
> > expressed in UTC time as specified in section 1.3.4"
> > 2.3.3, 2.3.3., 3.2.1, 3.4.1
> 
> The above I like. The pdf however also says: "MUST NOT generate time
> instants that specify leap seconds." I guess this is trying 
> to constrain
> dateTime even more, (an approach with which I symphatize), but I think
> this is just a little bit too much. I'd suggest s/MUST 
> NOT/SHOULD NOT/,
> on the basis that "MUST NOT" means that everyone has to write a line
> of code that only gets executed once every couple of years - it might 
> be something like "if (seconds==60) sleep(1)". Now that I'd rather not
> have that MUST since sleeping that second could be important for some
> application or other and code that's run that rarely *always* causes
> problems (at least it did when I wrote code:-).

I thought of that, but the problem that comes up otherwise is that 
people will write clients that barf when they see a leap second because
they never checked their code for that eventuality.

For interop I think we have only two choices
1) Require issuers never to generate leap seconds
2) Require relying parties to handle leap seconds.

The reason I favor 1 is that in practice very few platforms actually
support leap seconds and one has to work real hard to make one happen.

> 2. NameIdentifier.Name
> ----------------------
> 
> Eve suggested putting the name value in as element value, not as an
> attribute which I thought had been agreed but the NameIdentifier still
> has two attributes here. Suggest implementing Eve's change.

That is fine by me, I think the conversation carried on after the
agreement so the decision didn't get recorded in the minutes.

Phillip Hallam-Baker (E-mail).vcf