See a change proposal in the middle of the text.
Folks,Since there has been a lot of discussion on this topic, I wanted to share the current draft of a formal response to ITU-T re DR 320.Steve ----- Gentlemen:This is a response to your communiqué of 2007-10-05 re Defect Report 320 submitted to ITU-T SG17. The PKIX Working Group met in Vancouver on 2007-12-03 and discussed your message and DR 320. We agree that the X.500 model, and X.501 specifically, defines a DN as a globally unique identifier in The Directory. As you noted, name uniqueness is a critical feature of hierarchic distributed naming schemes, such as X.500 and the DNS, and for e-mail addresses. In the Internet we have successfully dealt with the problem of name uniqueness for DNS names and, as a corollary, for RFC 822 e-mail addresses. However, it has required a substantial investment of resources over about 25 years to achieve our current status in this regard. Unfortunately, the X.500 directory model, perhaps in part because of its richer naming semantics, has not achieved the same status. It often is not an easy task for a CA to examine a proposed name and determine if the Subject has the right to that name, when the name is a DN.
I propose to delete the following sentence, since we do not agree with all the observations made in DR 320.
Thus we agree with the observations made in DR 320.
It is a fact that Certification Authorities (CAs) are being deployed with names chosen locally, without acquiring a DN from a naming authority.
This sentence is very important and its consequences should be mentionned. I propose to add the following text:
"As a consequence, nothing may prevent two unrelated CAs to choose the same DN for two different entities (e.g. end-entities, CAs, CRL Issuers, OCSP responders). By implication, a CA DN and a serial number taken alone do not necessarilly identify a single entity".
It also is true that the IETF provides no guidance to CAs on how to choose names that are unambiguous, or on how CAs might coordinate on global scale to avoid name collisions for themselves and for the entities to whom they issue certificates.We have discussed this matter in the PKIX Working Group, and have consulted with the Security Area Directors and the with IETF Chair. We do not anticipate that PKIX nor any other working group in the IETF will take any action to address this problem. Thus, for example, we do not plan to establish a list of DNs of extant CAs to be checked by prospective CAs.