[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Straw Poll: SerialNumber definition

To: Paul Koning <pkoning@xxxxxxxxx>, Denis.Pinkas@xxxxxxxx
Subject: Re: Straw Poll: SerialNumber definition
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Tue, 22 Feb 2000 11:49:03 -0800
Cc: ietf-pkix@xxxxxxx, EL-SIGN@xxxxxxxxxxxx
In-reply-to: <>
References: <><>

At 10:43 AM 02/21/2000 -0500, Paul Koning wrote:
> >>>>> "Denis" == Denis Pinkas <Denis.Pinkas@bull.net> writes:
>
>  Denis> As David Kemp noticed it there are two ways to use additional
>  Denis> RDN attributes:
>
>  Denis> 1) as a disambiguator,
>
>  Denis> Originally the idea was to add a disambiguator only in the
>  Denis> case where two certificates, without the disambiguator, would
>  Denis> contain identical DNs.
>
>  Denis> 2) as a static identifier.
>
>  Denis> Originally the idea was to use the static identifier without
>  Denis> using the other DN components, which meant that the static
>  Denis> identifier was sufficient to identify an individual.
>
>  Denis> The first case means that *all* the components of the DN are
>  Denis> used in conjunction with the dnq (DN Qualifier), while the
>  Denis> second means that *none* of the components of the DN are used
>  Denis> in conjunction with the dnq (DN Qualifier).
>
>  Denis> In addition to these two extremes (all versus none), there is
>  Denis> a number of variations where the dnq (DN Qualifier) does not
>  Denis> apply to all or none, but to *some* of the components of the
>  Denis> DN. This would solve other concerns raised on that thread.
>
>Ouch.
>
>The situation we started from is that there were two ways of
>interpreting a particular attribute.  The new situation you're
>pointing to is to increase that number from 2 to N.  I think that's a
>large step in the wrong direction.
>
>The problem with many standards is that they have too many options,
>not too few.  Adding more stuff for the purpose of adding N-2 new
>options is not a good thing at all, in my view.
>
>         paul

In retrospect, had a value been built-in to the spec, indicating
which subset of DN/RDN attributes constitute "unique-id" from an
issuing CAs perspective, it could be seen as reducing 2 ways to 1.
I.E., ALWAYS rely on the given subset specification.  While this
would make processing mechanical, it would not help in promoting
a "common uniqueness profile" if that is the real concern.

___tony___


___tony___
Tony Bartoletti 925-422-3881 <azb@llnl.gov>
Information Operations, Warfare and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900

References:
- Re: Straw Poll: SerialNumber definition
  - From: tgindin
- Re: Straw Poll: SerialNumber definition
  - From: Denis Pinkas
- Re: Straw Poll: SerialNumber definition
  - From: Paul Koning

Prev by Date: Re: Diffie-Hellman DomainParameters question
Next by Date: Re: SEIS: RE: WG last call for draft-ietf-pkix-qc-o3.txt
Previous by thread: Re: Straw Poll: SerialNumber definition
Next by thread: Re: Straw Poll: SerialNumber definition
Index(es):
- Date
- Thread