Title: Security - Clarify representation of AMHS identities in ATN certificates PDR Reference: M2080003 Originator Reference: PDR-SV8-1 SARPs Document Reference: Sub-Volume VIII, edition 3 Status: RESOLVED Impact: C PDR Revision Date: 07 Oct 2002 (Resolved) 02 Oct 2002 (Proposed) 23 Sep 2002 (Accepted) PDR Submission Date: 24 Aug 2002 (Submitted) Submitting State/Organization: FAA Submitting Author Name: Simon Blake-Wilson Submitting Author E-mail Address: sblakewilson@bcisse.com Submitting Author Supplemental Contact Information: +1-416-214-5961 SARPs Date: Doc 9705 Edition 3 SARPs Language: English Summary of Defect: SV8 is currently ambiguous about whether AMHS entities identified by an X.501 distinguished name are identified in ATN certificates. Specifically 8.4.3.1.3.5.1 suggests that the name be placed in the subject field, while 8.4.3.1.3.9.3.4 suggests that it be placed in the subjectAltName field. Propose to clarify that distinguished name is placed in subject field. Assigned SME: Sub-Volume VIII SME Proposed SARPs amendment: 1/ 8.4.3.1.3.5.1: Remove: "(rather than an X.400 name)". 2/ 8.4.3.1.3.9.3.4: Reword clause to read: "If the subject is an AMHS entity with an X.400 address, the subject alternative name extension shall contain the entity's X.400 address." 3/ 8.4.3.1.3.9.3.4: add note below clause. Note to read: "Note.- AMHS entities are identified by distinguished names and/or X.400 addresses. Distinguished names are placed in the subject field, and X.400 names are placed in the subject alternative name extension. If an AMHS entity has both a distinguished name and an X.400 address, both the subject field and the subject alternative name extension are populated." Comment from SV8 SME (22 September 2002): The defect identified is correct, however it is also necessary to address extension ordering in the case that the subjectAltName extension is not populated. Since an AMHS entity will always have an X.400 address, the SARPs amendment should therefore be modified as follows to assume that subjectAltName is always present. Proposed SARPs amendment: 1/ 8.4.3.1.3.5.1: Remove: "(rather than an X.400 name)". 2/ 8.4.3.1.3.9.3.4: Reword clause to read: "If the subject is an AMHS entity, the subject alternative name extension shall contain the entity's X.400 address." 3/ 8.4.3.1.3.9.3.4: add note below clause. Note to read: "Note.- AMHS entities are identified by X.400 addresses and optionally in addition distinguished names. X.400 addresses are placed in the subject alternative name extension, and if present distinguished names are placed in the subject field. If an AMHS entity has both a distinguished name and an X.400 address, both the subject field and the subject alternative name extension are populated." Impact on interoperability: Minor. AMHS entity certificates containing a distinguished name in the subject alternate name extension are no longer valid. Validation status: Thorough inspection should be sufficient. SME Recommendation to CCB: Progress to RESOLVED. CCB Decision: RESOLVED