Re: [openssl-dev] Re: How to locate the X.509 specifications
The 5280, 3280, and 2459 profiles are utterly broken and useless. They conflate privilege management with identity management (extendedKeyUsage for the lose), and they have violated ASN.1 and OID management constraints by changing the semantics of an already-defined OID between 2459 and 3280. I expect that revision 6 of X.509 isn't going to be used by the IETF any time soon, until it's available for free. If it ever is. In the meantime, I'm using the X.509 data structures to do something explicitly out-of-scope for X.509. Here's hoping that it makes it out the door. -Kyle H On Sun, Aug 8, 2010 at 1:38 PM, David Shambroom w...@intersystems.com wrote: RFC 5280 is just what it says it is: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile tailored for the Internet (Section 3.1) No one said that it's anything more. Don't use it if you don't like it, but it's worth knowing about. Erwann ABALEA wrote: Hodie VII Id. Aug. MMX, David Shambroom scripsit: See: http://www.ietf.org/rfc/rfc5280.txt RFC5280 is only a profile for X.509 certificates and CRLs, just were RFC3280 and RFC2459 before it. Hopefully, RFC5280 is of better quality than its predecessors, but doesn't replace the standard at all. It adds more constraints, some of them are unnecessary (for example an organizationName or a commonName limited to 64 characters). RFC acts on top of X.509, and only for public key certificates (i.e. not attribute certificates). Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to help development. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-dev] Re: How to locate the X.509 specifications
RFC 5280 is just what it says it is: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile tailored for the Internet (Section 3.1) No one said that it's anything more. Don't use it if you don't like it, but it's worth knowing about. Erwann ABALEA wrote: Hodie VII Id. Aug. MMX, David Shambroom scripsit: See: http://www.ietf.org/rfc/rfc5280.txt RFC5280 is only a profile for X.509 certificates and CRLs, just were RFC3280 and RFC2459 before it. Hopefully, RFC5280 is of better quality than its predecessors, but doesn't replace the standard at all. It adds more constraints, some of them are unnecessary (for example an organizationName or a commonName limited to 64 characters). RFC acts on top of X.509, and only for public key certificates (i.e. not attribute certificates). Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to help development. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] Re: How to locate the X.509 specifications
Hodie VI Id. Aug. MMX, David Shambroom scripsit: RFC 5280 is just what it says it is: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Exactly. And Kyle was explaining where to find the X.509 specification. tailored for the Internet (Section 3.1) No one said that it's anything more. Don't use it if you don't like it, but it's worth knowing about. I'm forced to use it, since that's what most systems refer to when they want X.509 certificates. You're right, it's worth knowing about. But in addition to the real X.509 standard. [...] Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com - Aiming at foot before pulling trigger always bad idea. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] Re: How to locate the X.509 specifications
Hodie VII Id. Aug. MMX, David Shambroom scripsit: See: http://www.ietf.org/rfc/rfc5280.txt RFC5280 is only a profile for X.509 certificates and CRLs, just were RFC3280 and RFC2459 before it. Hopefully, RFC5280 is of better quality than its predecessors, but doesn't replace the standard at all. It adds more constraints, some of them are unnecessary (for example an organizationName or a commonName limited to 64 characters). RFC acts on top of X.509, and only for public key certificates (i.e. not attribute certificates). Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to help development. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com - scanf() is evil. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org