51   The certificate field corresponding to the AVL pinningId is not defined

Created: 14 Jul 2024

Status: Discussion (red)

Part: Part 9 (2023, Edition2)

Links:

Page: 74

Clause: 7.8.5

Paragraph: 1

Issue

The AVL pinningId extension definition does not explicitly mention to what field of the public key certificate it corresponds. From the context it seems that it only corresponds to the SAN field, but this is not explicit.

Proposal

The X509 standard (X509-201910, https://www.itu.int/rec/T-REC-X.509-201910-I/en) for distinguishedName has the following text: "The entityGroup alternative shall be taken when the entry represents an entity group with which the entity may accept communications. An entity group is characterized by having a distinguished name prefix in common within the name of the subject component for public-key certificates issued to the members of the group."

I think we should follow that lead and update 7.8.5 to say that the pinningId explicitly corresponds to entries in the SAN field: "The pinningId corresponds to the information found in the subjectAtlName component", or something to that effect.

Discussion Created Status
OK. 04 Sep 24 Discussion (red)
Proposal to accept as editorial change to address the discovered typo 27 Aug 24 Discussion (red)
Based on the comment above:
- pinningId extension explanation will stay as is
- an editorial correction of the typo will be done resulting in
should this not be
IDENTIFIED BY {avl62351Extension 2}
23 Jul 24 Discussion (red)
I have no additional comment, but I think there is a typo in section 7.8.5 of IEC 62351-9.
In the definition of pinningId, the current text is:
IDENTIFIED BY {avl62351Extion 2}

should this not be
IDENTIFIED BY {avl62351Extension 2}
16 Jul 24 Accepted
The pinningID was intended to allow the association of an entry in the AVL with a specific IP address. This was intended specifically for cases, when the information about the IP address is NOT contained in the certificate SAN field and thus could be used to restrict applicability of the certificate. The defined pinningID also allows for other fields of "GeneralNames", which may be used.

In that sense, the currently stated explanation "The pinningId extension supports the association of a certificate with the IP address (or another identifier), if the certificate itself does not provide IP address information as part of the subjectAltName extension." should be sufficient.
15 Jul 24 Accepted

 

Privacy | Contact | Disclaimer

Tissue DB v. 24.11.8.1