[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New Liaison Statement, "Liaison to IETF on the resolution of DR320"

To: Tom Gindin <tgindin@xxxxxxxxxx>
Subject: RE: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Fri, 19 Oct 2007 10:21:22 -0700
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <OFD6F3557E.1CC1A2EF-ON85257375.00756BC3-85257379.005B3F77@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <OFD6F3557E.1CC1A2EF-ON85257375.00756BC3-85257379.005B3F77@xxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 12:37 PM -0400 10/19/07, Tom Gindin wrote:

        I know this response is a little late, but the main reason that
there is no central repository for CA names is that there is no world-wide
directory using X.500 names.

While the latter is obviously true, it is not the "main reason". The"main reason" is that many (most?) CAs could get no real value out ofa "world-wide directory using X.500 names". For example, when anorganization becomes a CA by making its own trust anchor for internaluse, having to register in a "world-wide directory" is a hindrance,not a feature.

For reasons which have been discussed many
times on this list, there probably never will be.


"Probably" may be understating the likelihood.

Of course,  the IETF
knows of an existing registry which could be used to avoid conflicts
between CA names.


We do?

        How about the following wording: "Certificate Authorities SHOULD
NOT use a value in the Organization or Common Name attribute of their
Distinguished Name which is syntactically legal as a dNSName (i.e. an IA5
string containing one or more periods but no spaces) unless they are
operated by an organization which has registered the domain name
controlling that dNSName.  Certificate Authorities wishing to ensure a
globally unique issuer name MAY use an IA5 FQDN controlled by their
organization in either the Organization or the Common Name attribute."

This might be appropriate in an ITU document, but is it reallyappropriate for a standards-track IETF document? In specific, thelatter makes it sound like using your domain name is safe. Might be,might not be.

Does anybody want to add Organizational Unit into the mix, and possibly
even make it a SHOULD for newly allocated CA's?

I don't see how this would help. If you look at the OUs inIssuerNames of certificates flying around the net, you can see thatfew people understand OUs,

        Given my unfamiliarity with non-alphabetic scripts, I hesitate to
discuss internationalized DNS names in this connection unless Punycode is
relevant.  However, even without considering DR 320, using somebody else's
domain name as your CN or O attribute is misleading.

True, but I do not think that it is the place of IETF documents tosay what is or is not "misleading".


--Paul Hoffman, Director
--VPN Consortium

References:
- RE: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
  - From: Tom Gindin

Prev by Date: Re: Upper Bounds for X.509
Next by Date: Re: Upper Bounds for X.509
Previous by thread: RE: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
Next by thread: Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
Index(es):
- Date
- Thread