[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New other certs extension I-D
Stephen,
It seems that your concern might be solved using RFC 4043: Permanent Identifier.
The permanent identifier is an optional feature that may be used by a
CA to indicate that two or more certificates relate to the same
entity, even if they contain different subject name (DNs) or
different names in the subjectAltName extension, or if the name or
the affiliation of that entity stored in the subject or another name
form in the subjectAltName extension has changed.
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use a serialNumber attribute,
-- if there is such an attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
Your proposal is along the following:
OtherCertificates ::= SEQUENCE OF IssuerAndSerialNumber
It would not permit an unambiguous link, since it does not address the case of two CAs
that would bear the same name.
Denis
=====================================================
>Hi all,
>
>A problem came up in another forum of how to
>link together various certs belonging (or that
>belonged) to the same end entity. Without some
>additional naming rules beyond 3280 that can
>be tricky so I've written up a one-page-plus-
>boilerpate I-D [1] describing a possible general
>approach.
>
>I don't know if this should or should not
>be a PKIX WG item, but would welcome comments
>(in particular if there's a better way to
>solve the problem with some current extension).
>
>Regards,
>Stephen.
>
>[1] http://www.ietf.org/internet-drafts/draft-farrell-pkix-other-certs-00.txt
>