RE: Global unique identifier

[tgindin@xxxxxxxxxx]

Robert Moskowitz <rgm-sec@htt-consult.com> on 04/12/2000 10:42:00 AM

To:   Anders Rundgren <anders.rundgren@jaybis.com>, "'Denis Pinkas'"
      <Denis.Pinkas@bull.net>
cc:   "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject:  RE: Global unique identifier



At 03:29 PM 4/12/2000 +0200, Anders Rundgren wrote:

>Essentially only one per country at maximum.   Companies etc. and
commercial
>issuers like VerySign will use CA-specific naming domains I suppose?

No.  Get real.

A GUI would perforce be the IssuerName concatenated with the SubjectName.

[Tom Gindin]   A pre-existing GUI would not have to be based on the
IssuerName, nor would it necessarily contain the entire subject name.  It
could be (in the USA) a Social Security number (country + ID value) or an
employee ID (organization + ID value) - although Social Security numbers
might get banned by privacy legislation.  Only if the CA itself assigned
the GUI would the IssuerName be a mandatory component.

I can even seen problems there, wtih WTO or WIPO hving to deal with suits
and counter suits between CAs that use the same name.  At least with DNS we
stopped the independent root efforts.

[Tom Gindin]   Identical DN's for independent issuers would cause very
severe problems with the current standards, starting with CMS SignerInfo.
These proposals would not introduce any new limitations in that respect.

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com