[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Plug'nPlay Certificates. Was: SerialNumber definition

To: "'SEIS-List'" <list@xxxxxxxxxxxxxxxxx>, "'Stephen Kent'" <kent@xxxxxxx>, "'Denis Pinkas'" <Denis.Pinkas@xxxxxxxx>, "Stefan Santesson" <stefan@xxxxxxxxxxx>
Subject: Plug'nPlay Certificates. Was: SerialNumber definition
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxxx>
Date: Wed, 23 Feb 2000 17:13:59 -0000
Cc: <EL-SIGN@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>

Stefan,
I keep my fingers crossed.

<snip>

>This is a predefined statement dedicated to include information that would
>clarify the actual content in the DN attributes.
>Lets say that we added another optional data element "dnIdentityMask" in the
>samanticsInformation:
>
>
>      SemanticsInformation ::= SEQUENCE {
>          semanticsIdentifier        OBJECT IDENTIFIER   OPTIONAL,
>          nameRegistrationAuthorities NameRegistrationAuthorities
>                                                          OPTIONAL
>          dnIdentityMask              DnIdentityMask   OPTIONAL}
>
>          DnIdentityMask ::= BIT STRING {
>               countryName             (0),
>               commonName              (1),
>               surname                 (2),
>               givenName               (3),
>               pseudonym               (4),
>               serialNumber            (5),
>               organizationName        (6),
>               organizationalUnitName  (7),
>               stateOrProvinceName     (8),
>               localityName            (9),
>               postalAddress          (10)}
>
>
>The defined meaning of dnIdentitymask would then be to specify the minimum
>set of attributes needed to obtain a unique identity of the subject, needed
>to identify the subject among all subjects handled by the CA.


Is not this not (in principle at least) exactly what Denis (and I in less formal way) suggested and 
was immediately rejected by others?

Well, if you REALLY plan to do changes what do you think of the Naming Domain addition I proposed
that should complement the package to allow what I would call Plug'nPlay Certificates?

What do you think of the impact of such a statement on cert comparisions? I (and Denis?)
think that existence such a statement should directly (or implicitly) indicate that you can do that.

I welcome such changes but I have almost lost faith in this process where "purity" (with respect
to X500) is given precedence over deployment and current practice.   I would though be very
worried to squeeze in all this in a week or so.  If you go ahead that will delay the process
another 4 weeks at least.  I have no problems whatsoever with that. 

BTW, why not reinstate dnqualifer although it is a little bit redundant as it is already in use?
In principle (sloppy, but this is where we are today) dnq should be used as name disambiguer and
serialnumber as some kind of more or less static indentity versus a naming domain.  Note: this is not
a high-priority issue but why "outlaw" something that has until very recently become suspect?  
I am now talking about son-of-RC2459 rather than just QC.

Anders

Prev by Date: Re: German Law and OCSP
Next by Date: RE: Straw Poll: SerialNumber definition
Previous by thread: Diffie-Hellman DomainParameters question
Next by thread: [no subject]
Index(es):
- Date
- Thread