RE: Stray Poll: SerialNumber definition

[Anders Rundgren <anders.rundgren@xxxxxxxxxx>]

Denis,

<snip>
>> serialNumber DN Disambiguer usage:
>> 
>>         cn=John Doe, sn=456
>>         cn=John Doe, sn=200
>>         cn=Pamela Anderson, sn=200
>> 
>> Anticipated ID algorithm: The DN as a whole is used as an unmistakable identity
>> The three certificates MAY (or may not) denote different persons.

>This seems simple but does not work. :-(  In a DN, some AVAs are
>long term invariants while some others are not. What would be needed
>is to qualify a subset of the AVAs that is an invariant. For
>example, an OU in some cases may change over time and there is no
>wish to re-issue a certificate when the change occurs. So it would
>be nice to keep e.g. cn=John Doe, sn=200, even if the OU has
>changed.

You are referring to a non-real-world problem looking for an X.500 solution.
In the REAL world you use employee IDs (if they are organization-wide) or
you have to issue a new certificate.

<snip>
>> Anticipated ID algorithm: Only SN is used to identify the subject.  

>Ah ! Ah! It seems that we are reinventing the wheel. :-)

>Once upon a time, ... there used to be an X.509 v2 certificate with
>an optional field called: "SubjectUnique Identifier". Its use has
>been deprecated. However what is described here matches with the
>intended usage of that field. 

AFAIK It was deprecated due to BITSTRING syntax and (in a very odd way)
partially replaced by serialNumber.  This is used in huge PKIs as UID.

<snip>

Anders