Re: Identification confusion continues

["Anders Rundgren" <anders.rundgren@xxxxxxxxxx>]

Carlisle,

>I try to make it a personal policy not to mention Entrust products in this
>type of forum (i.e., the PKIX list), but since you asked explicitly, I'll
>make an exception.


thanx!

>The Entrust PKI allows the terminal RDN in a DN to be something like
>"cn=Fred Smith + sn=12345".  That is, a serial number (for example, an
>employee id.) may be used to ensure uniqueness in DNs that might otherwise
>clash (due to non-uniqueness of the common name in a large organization).
>Nothing mandated, of course; this is just a possible way of populating the
>DN field.
>
>My understanding is that a number of our customers have chosen to configure
>their DNs in this way.  This actually is current practice in many real
>environments.


I would not say that employee ids has much to do with name clashes.  Employee ids
are in 99.9% of all cases unique identities.  Name independent.  These fit the serial number description
without tweaking the original specification more than replacing device with individual.

I.e. I stay unconvinced that serialNumbers are used as dnQualifiers (which I am pretty sure
that Entrust support as well?)  in the way it was interpreted by most of the PKI community
just some months ago.

But actually this does not matter at all.  What DOES matter is that the ambigious
use of serialNumber in QC is not left in its current UNDEFINED state.

Anders