[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Straw Poll: SerialNumber definition

To: ietf-pkix@xxxxxxx
Subject: Re: Straw Poll: SerialNumber definition
From: tgindin@xxxxxxxxxx
Date: Sun, 20 Feb 2000 22:11:34 -0500

     This question may be split into several separate ones.  First, should
there exist standard attributes with the following characteristics: 1)
affiliation ID, typically an employee ID, a membership ID, or a customer
number, assigned by either the organization in the DN containing it or one
of the organizational units in that DN and must be unique at the time of
its assignment (not necessarily for all time); 2) DN Disambiguator, added
to at least one of two otherwise identical DN's by a directory
administrator or a CA for the purpose of breaking an ambiguity; 3) national
ID, which is similar to affiliation ID but assigned by the country in the
DN?  Second, if defined should they be permitted in DN's?  Third, should
any existing standard X.520 attributes be mapped onto any of these three,
which would require some amendments to their definitions in X.520?  Fourth,
for any attributes permitted in DN's, are they permitted to appear in the
same RDN with a CN or Surname attribute?    The suggestions which have been
made which involve "yes" for the third question are that serial number be
interpreted for persons (for which it is currently undefined) as
affiliation ID or national ID above, and that the clause requiring that DN
Qualifier have the same value for all entries in a single DSA be repealed,
and then DN Qualifier be used as one of the three possibilities above.

      I know of no real argument that either affiliation ID or DN
Disambiguator is an inappropriate or undesirable attribute, and the only
question about national ID is whether it is desirable from a privacy
standpoint.  National policy might well ban its use in some countries, and
ban its use as a naming attribute in others.  I am one of those who have
suggested that serial number's definition be amended and that it be used
for affiliation ID.  I also think that any of these attributes should be
permitted in the same RDN as personal name attributes if they are permitted
in names at all.  Some of the responses in this poll have left me unsure as
to how a relying party could tell whether the proposed use of serial number
or DN Qualifier was expected to be unique on a country basis or on an
organization basis.
     There are two further questions which arise if one or both of the ID's
above are defined as attributes or mapped to existing ones.  Should there
be separate attributes for variants of either or both of the ID's above
which imply that the ID is expected to be unique over very long periods of
time (multiple centuries for national ID), so that a DN containing the ID
but no personal name is a long-lived identity?  Also, should affiliation ID
above be further subdivided according to the nature of the affiliation
(employee, member, customer, etc.)?

          Tom Gindin

P.S. The opinions above are mine, and not necessarily those of my employer.

Follow-Ups:
- Re: Straw Poll: SerialNumber definition
  - From: Denis Pinkas

Prev by Date: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
Next by Date: unsubscript
Previous by thread: Re: Straw Poll: SerialNumber definition
Next by thread: Re: Straw Poll: SerialNumber definition
Index(es):
- Date
- Thread