Re: SEIS: RE: Cert comparison needs AI?

["Anders Rundgren" <anders.rundgren@xxxxxxxxxx>]

David,

>"ensuring uniqueness" is a defined semantic, even if the process by
>which uniqueness is ensured is relegated to the CPS (or CP) for a
>particular domain.  Although I have one quarrel with the definition, I
>basically agree with Stefan that using the serialNumber attribute to
>contain a true serial number (a static identifier which refers to the
>same entity even when the Common Name changes) fits within an amended
>definition:


I have never said it does not fit the definition, I just dislike the idea to overload the semantics
of serialNumber with the semantics of dnQualifier and not having any defined way in the certificate
to specify which semantic the certificate is actually using.

>  "Comparing two qualified certificates to determine if they
>  represent the same physical entity may provide misleading results
>  and should be performed with care."
>
>It is obvious that just because a QC contains an "unmistakeable
>identity" does not imply that there is only one possible unmistaken
>identity for a given physical entity. It's hard to see how this
>result would be "misleading" to anyone.
>
>On the other hand, if two certs contain the identical unmistakeable
>identities yet refer to two different physical entities, then the
>identities must not have been so unmistakeable in the first place,
>and the QC has failed to satisfy the requirements of section 2.


I would say that the QC sample is an example of a certificate that
could generate incorrect results as it seems that a QC-conforming
CA could issue certificates for a person with a certain name and later
(maybe after the person is dead or removed from the files)
issue a certificate for a person with identical name, etc.

CONCLUSION: If QCs can be compared or not is an IMPORTANT (as it is
performed right now in many pre-QC systems using unique identifiers)
QC property that either is a part of the CPS or (even better), becomes
a property of the QC itself.

Anders