Safe Form Bar certificate matching issues

Raised by:
Thomas Roessler
Opened on:
The safe form bar specification includes a specific matching algorithm for PKIX certificates. This algorithm should be reviewed in light of what the PKIX spec itself says.

Known issues:

- There is some material based on CN, but subjectAltName is ignored
- Two certificates are considered identical if the same key material is encapsulated
- The text uses the notion of "same certification authority", and defines that notion in terms of "both installed as trusted certificate chain roots identified by the same name in the user agent's presentation to the user", as opposed to using the certificate's isuser field. (Note contradiction to material elsewhere in the spec!)
- Certificates are considered to identify the same entity based on comparing specific attributes of the subject field.
Related Actions Items:
Related emails:
  1. Draft Minutes for 2009-01-21 (from on 2009-01-22)
  2. ACTION-317: Different notions of KCM in different parts of the document (from on 2008-01-17)
  3. Mez' review of wsc-xit (from on 2007-12-07)
  4. ACTION-348: cert related terminology (from on 2007-12-05)
  5. Agenda: WSC WG distributed meeting, Wednesday, 2007-12-05 (from on 2007-12-04)
  6. ISSUE-121: Safe Form Bar certificate matching issues [Techniques] (from on 2007-10-11)

Related notes:

Thomas Roessler, 11 Oct 2007, 10:35:23

Display change log ATOM feed

Mary Ellen Zurko <>, Chair, Thomas Roessler <>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 121.html,v 1.1 2010/10/11 09:35:04 dom Exp $