[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: QC: Identification confusion continues

To: "'PKIX'" <ietf-pkix@xxxxxxx>
Subject: RE: QC: Identification confusion continues
From: "Manger, James H" <James.H.Manger@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Feb 2000 14:39:03 +1100

Charlie,

I am beginning to understand your position as more of the history of dnq is
revealed.  I can even accept your solution - imperfect but usable.  Your
solution does go against X.520's explicitly stated intention for dnq, but
perhaps "intended" does not carry the same weight as "shall" or "must" in a
standard.

If QC does revert to using dnq to disambiguate multiple John Smiths it
should add a paragraph such as:
"X.520 intended dnQualifier to disambiguate entries in different
directories, with the same value used for all entries within a directory.
This intention, which is now deprecated, does not preclude the use of
dnQualifier as defined in this standard."
This paragraph would, at last, document this interpretation of dnq in a
standard.  Future users of the standard (who will not have been privy to
these PKIX discussions, as I was not privy to other committee meetings) will
understand the clash with X.520 (and perhaps question it no more).



P.S. The "reference source" & "basis" for the objection was the 2nd sentence
of the X.520 (1993 & 1997) definition of dnQualifier.  No experience, no
implementations, no legacy systems, no commercial imperatives, no history
(well a little), no compatibility, ...

My motivation was to keep the meaning in attribute types.  I see potential
value in knowing the type of an item and in the arrangement of types
(Att/RDN/DN).  However, this value vanishes if the syntax is used without
the semantics, or at least diminished if the semantics are loosened.  This
motivation impacts dnq in two ways: firstly the much discussed clash with
the "2nd sentence" in X.520 (clash = loosened semantics), secondly the
chance to use dnq to alleviate more important semantic perversions like
VeriSign's misuse of org & org unit.  I hoped dnq could be used to include
issuer information in a subject DN without implying a strong relationship
between the subject and the info (using org implies an "affiliation" between
the two).

The end game: for a computer looking at a DN (& little else) to be able to
understand what it means.

P.S. Where is dnQualifier deprecated (standard/draft/discussion/..)?  Is it
just the "intended use" sentence that is deprecated or the whole attribute?

Prev by Date: [no subject]
Next by Date: Stray Poll: SerialNumber definition
Previous by thread: RE: QC: Identification confusion continues
Next by thread: QC: Unmistakable identity life-span
Index(es):
- Date
- Thread