> From: [EMAIL PROTECTED] (Peter Gutmann)
>
> At the moment CRMF has three major problems:
>
> 1. Noone uses it (I know that that'll change in the future, but it doesn't help
> encourage implementors at the moment).
Neither do any of the three PKCS 10 schemes - that's why you raised the
question in the first place.
> 2. Pieces of it may be covered by Nortel/Entrust stealth patents, requiring
> major restructuring to avoid them.
Entrust deserves every bit of distrust they have engendered by their
recent patent actions. However, there is nothing specific to CRMF
which is especially likely to become encumbered. If you regard
Carlisle as guilty by association, you might as well use the same
argument against GSS-IDUP, CAST5, or any of the other work he has been
involved with.
> 3. It has some underspecified and downright bizarre fields in there - what the
> purpose of allowing a subject to specify a CA's DN is is beyond me. It
> looks like they've taken every possible X.509 field (including ones which
> are obsolete or deprecated or make absolutely no sense in a cert request),
> stuck a tag in front of them, and added them to the message.
Precisely. It is exactly an X.509 Certificate with every field optional.
Who can predict which field might be needed and which would never, ever,
be needed in a cert request?
You might not see the need for the issuer name, but if I were requesting
a cert from VeriSign, I might populate the request with the Class 1
PCA, the Class 2 PCA, or the Class 3 PCA in the issuer field.
(That might not be a good example, but it extends to intranet CAs which
could have multiple logical issuers at the same physical location.)
What X.509 fields are obsolete or deprecated? I assume you are
referring to subject and issuer UIDs. I have rarely seen those fields
populated, but they do have their proponents. Rare is not the same as
never.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
