1. rfc3280bis-00 David Cooper, NIST Tim Polk, NIST

2. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be addressed in 3280bis ● January 2004: 3280bis design team met to review all submitted issues and agree on an initial resolution for each issue. ● February 2004: rfc3280bis-00 posted. ● pending: posting of disposition of comments

3. Design Team ● Sharon Boeyen ● David Cooper ● Stephen Farrell ● Warwick Ford ● Steve Hanna ● Russ Housley ● Tim Polk ● Stefan Santesson

4. Encoding of names ● DN attributes of type DirectoryString may be encoded in either UTF8String or Printable String ● Expanded support for internationalized names – Internationalized Domain Names (IDN) – Internationalized Resource Identifiers (IRI) – Internationalized email addresses

5. Comparison of Names ● MUST be able to compare DN attributes using LDAP StringPrep profile ● MUST be able to compare IDNs, IRIs, and internationalized email addresses as specified in appropriate RFC ● For URIs and IRIs, MUST be able to perform scheme-based normalization for ldap, http, https, and ftp prior to comparison

6. Name Constraints ● Implementation requirements clarified for apps – MUST be able to process directoryName – SHOULD be able to process rfc822Name, uniformResourceIdentifier, dNSName, and iPAddress ● CAs MUST NOT impose constraints on x400Address, ediPartyName, or registeredID ● Syntax for URI name constraints extended: uriconstraint = ["."] domainstring | scheme ":" ["//"] hostconstraint [schemespecific] hostconstraint = ["@"] ["."] domainstring [":" port]

7. Distribution Points ● SHOULD NOT use nameRelativeToIssuer or reasons ● cRLIssuer field MUST include DN from issuer field of CRL using identical encoding ● More information provided about format of URIs and format of data pointed to by URIs (ldap, http, and ftp).

8. AIA and SIA ● More information provided about format of URIs and format of data pointed to by URIs (ldap, http, and ftp) – For LDAP, URI MUST specify a distingishedName and attribute(s) and MAY specify a host name – For HTTP and FTP, URI MUST point to a file containing either a single DER encoded certificate (.cer) or a collection of certificates (“certs-only” CMS message,.p7c) ● Multiple entries in AIA or SIA may point to same information or different information.

9. Other changes ● PrivateKeyUsagePeriod extension moved from section 4 to a new appendix (D). ● Support for inhibitPolicyMapping field of policyConstraints is optional. ● PolicyMappings changed from MUST be non- critical to SHOULD be critical.

10. Internationalized Name Types ● Directory Names ● Domain Names ● Resource Identifiers ● Email Addresses

11. Directory Names ● Strategy- – mandate transformation on comparison rather than storage (ISO compatibility) – Transform using ldap stringprep profile ● Normalize, compress white space ● Side Effects – No impact on storage or encoding – Supports migration to UTF8 – Establish uniform expectations for name constraints processing

12. Domain Names ● Strategy: – Convert Internationalized labels to ASCII Compatible Encoding (ACE) labels as defined in RFC 3490 – Encode in dNSName field of SubjectAltName ● Side Effects – Comparison logic is unaffected; still comparing two ASCII domain names – Conforming implementations must implement RFC 3490 (IDNA), 3491 (Nameprep), and 3492 (Punycode)

13. Resource Identifiers ● Strategy: – Convert Internationalized resource Identifiers (IRIs) to URIs as defined in RFC 3987 – Encode in uniformResourceIdentifier field of SubjectAltName – Comparisons use Scheme and/or Protocol-based rules as defined in RFC 3987 ● High-end of 3987 Comparison Ladder ● Side Effects – Breaks current products

14. Email Addresses ● Strategy – Local part of email address is transformed to UTF8 but interpreted literally (no normalization) – Host part is converted and compared as described for domain names – Encoded in rfc822Name in SubjectAltName ● Side Effects – Need a new prefix for local part of email address – Comparison logic is unaffected; still comparing two ASCII email addresses – No new code - reuse of domain name conversion and comparison tools

15. The Way Forward ● Post disposition of comments ● Review new functionality – Name constraints for URIs – Internationalization of names ● Submit -01 draft to resolve comments on design team resolution of round 1 comments and new functionality in -00 draft – Obtain prefix for local part of email address? ● Last Call on -01 draft