Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"

[Steven Legg <steven.legg@xxxxxxxxxxx>]

Tom Gindin wrote:
>         I know this response is a little late, but the main reason that 
> there is no central repository for CA names is that there is no world-wide 
> directory using X.500 names.  For reasons which have been discussed many 
> times on this list, there probably never will be.  Of course,  the IETF 
> knows of an existing registry which could be used to avoid conflicts 
> between CA names.
>         How about the following wording: "Certificate Authorities SHOULD 
> NOT use a value in the Organization or Common Name attribute of their 
> Distinguished Name which is syntactically legal as a dNSName (i.e. an IA5 
> string containing one or more periods but no spaces) unless they are 
> operated by an organization which has registered the domain name 
> controlling that dNSName.  Certificate Authorities wishing to ensure a 
> globally unique issuer name MAY use an IA5 FQDN controlled by their 
> organization in either the Organization or the Common Name attribute."

... or use the dc naming attribute defined in RFC 4519.

Regards,
Steven

> Does anybody want to add Organizational Unit into the mix, and possibly 
> even make it a SHOULD for newly allocated CA's?
>         Given my unfamiliarity with non-alphabetic scripts, I hesitate to 
> discuss internationalized DNS names in this connection unless Punycode is 
> relevant.  However, even without considering DR 320, using somebody else's 
> domain name as your CN or O attribute is misleading.
>
>                 Tom Gindin
>
> P.S. -  The opinions above are mine, and not necessarily those of my 
> employer
>
>
>
> Ryan Hurst <Ryan.Hurst@xxxxxxxxxxxxx> 
> Sent by: owner-ietf-pkix@xxxxxxxxxxxx
> 10/09/2007 08:47 PM
>
> To
> Paul Hoffman <paul.hoffman@xxxxxxxx>, Russ Housley <housley@xxxxxxxxxxxx>, 
> "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
> cc
>
> Subject
> RE: New Liaison Statement, "Liaison to IETF on the resolution   of  DR320"
>
>
>
>
>
>
>
> All of these statements are true.
>
> Words fail me is as fine a response to that as any...
>
> ________________________________________
> From: owner-ietf-pkix@xxxxxxxxxxxx [owner-ietf-pkix@xxxxxxxxxxxx] On 
> Behalf Of Paul Hoffman [paul.hoffman@xxxxxxxx]
> Sent: Tuesday, October 09, 2007 3:25 PM
> To: Russ Housley; ietf-pkix@xxxxxxx
> Subject: Re: New Liaison Statement, "Liaison to IETF on the resolution of 
> DR320"
>
> The ITU statement says the following:
>
> > > One of the participants in the directory meeting stated that
> > > Certification Authorities are being deployed with names not
> > > acquired from naming authorities but with names arbitrarily chosen
> > > assuming that no other CA is or will be operating under that name.
>
> That is, of course, true. There is no central repository for CA names
> because there is no central authority for CAs.
>
> > > That participant further stated that the IETF provides no
> > > guidelines on ensuring that the names of CAs are unambiguous.
>
> That is true.
>
> > > The directory group requests the IETF PKIX group to comment on this
> > > statement.
>
> Should we make a consensus call on "that is true"?
>
> > > If the statement is correct, we ask the IETF to consider putting a
> > > mechanism in place to prevent conflict, e.g. a list of existing CA
> > > names that deployers of new CAs could check for naming conflicts.
>
> Words fail me.
>
> --Paul Hoffman, Director
> --VPN Consortium