The 5280, 3280, and 2459 profiles are utterly broken and useless. They conflate "privilege management" with "identity management" (extendedKeyUsage for the lose), and they have violated ASN.1 and OID management constraints by changing the semantics of an already-defined OID between 2459 and 3280.
I expect that revision 6 of X.509 isn't going to be used by the IETF any time soon, until it's available for free. If it ever is. In the meantime, I'm using the X.509 data structures to do something explicitly out-of-scope for X.509. Here's hoping that it makes it out the door. -Kyle H On Sun, Aug 8, 2010 at 1:38 PM, David Shambroom <w...@intersystems.com> wrote:
RFC 5280 is just what it says it is: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" "tailored for the Internet" (Section 3.1) No one said that it's anything more. Don't use it if you don't like it, but it's worth knowing about. Erwann ABALEA wrote:Hodie VII Id. Aug. MMX, David Shambroom scripsit:See: http://www.ietf.org/rfc/rfc5280.txtRFC5280 is only a profile for X.509 certificates and CRLs, just were RFC3280 and RFC2459 before it. Hopefully, RFC5280 is of better quality than its predecessors, but doesn't replace the standard at all. It adds more constraints, some of them are unnecessary (for example an organizationName or a commonName limited to 64 characters). RFC acts on top of X.509, and only for public key certificates (i.e. not attribute certificates).Kyle Hamilton wrote:I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website.It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to help development.______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME Cryptographic Signature
