[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"

To: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
From: "Denis Pinkas" <denis.pinkas@xxxxxxxx>
Date: Mon, 22 Oct 2007 13:52:42 +0200
Cc: "Russ Housley" <housley@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Paul,

I agree with what you say. However", Words fail me" may have multiple interpretations.

We are going to invent a mechanism to prevent conflict, e.g. a list of existing CA 
names that deployers of new CAs could check for naming conflicts.

We are not going either to mandate the use of the DC naming attribute to guarantee
DN uniqueness.

The text from DR 320 is:

On page 12, the current text states “serialNumber is an integer assigned 
by the CA to each certificate. The value of serialNumber shall be unique 
for each certificate issued by a given CA (i.e., the issuer name and serial number 
identify a unique certificate).”
 
The text inside the parenthesis should be deleted: the DN of the issuer name 
cannot be guaranteed to be unique (the collision may be deliberate or accidental) 
and therefore the issuer name and serial number cannot uniquely identify a certificate.

The text of the answer to DR 320 states:

"This DR advanced an argument that Distinguished Names may 
not be unique and as such, the DN of the Certificate User may not be unique.

The directory group believes that Distinguished Name values must be 
unique and unambiguously identify a single entity, hence the use of 
the term Distinguished".

The implications are that DR 320 has been rejected by the directory group on a wrong basis.

Denis


>The ITU statement says the following:

>>>One of the participants in the directory meeting stated that 
>>>Certification Authorities are being deployed with names not 
>>>acquired from naming authorities but with names arbitrarily chosen 
>>>assuming that no other CA is or will be operating under that name.

>That is, of course, true. There is no central repository for CA names 
>because there is no central authority for CAs.

>>>That participant further stated that the IETF provides no 
>>>guidelines on ensuring that the names of CAs are unambiguous.

>That is true.

>>>The directory group requests the IETF PKIX group to comment on this 
>>>statement.

>Should we make a consensus call on "that is true"?

>>>If the statement is correct, we ask the IETF to consider putting a 
>>>mechanism in place to prevent conflict, e.g. a list of existing CA 
>>>names that deployers of new CAs could check for naming conflicts.

>Words fail me.

>--Paul Hoffman, Director
>--VPN Consortium

Follow-Ups:
- Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
  - From: Paul Hoffman

Prev by Date: Re: Upper Bounds for X.509
Next by Date: Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
Previous by thread: Upper Bounds for X.509
Next by thread: Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
Index(es):
- Date
- Thread