[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Global unique identifier

To: "'Denis Pinkas'" <Denis.Pinkas@xxxxxxxx>, Anders Rundgren <anders.rundgren@xxxxxxxxxx>
Subject: RE: Global unique identifier
From: "Heimberg, Jim" <Jim.Heimberg@xxxxxxxxx>
Date: Thu, 13 Apr 2000 08:12:40 -0400
Cc: ietf-pkix@xxxxxxx

Denis,
	I am not sure I understand why the DN would not be globally unique.
If it is unique within its domain, there should not be duplication of
domains and thus it becomes globally unique.  Please let me know if there is
some reason that this is not true.
Jim

-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
Sent: Wednesday, April 12, 2000 9:04 AM
To: Anders Rundgren
Cc: ietf-pkix@imc.org
Subject: Global unique identifier


Anders,

In RFC 2459 paragraph 4.1.2.6 we have : "The DN MUST be unique for
each subject entity certified by the one CA as defined by the issuer
name field". There is no requirement to make the DN unique across
multiple CAs. 

Adding this requirement would either break RFC 2459 or build
something very different. Today, when a DN is used, it is a DN from
a given CA. Each CA may build its own tree of names. A sequence of
relative names forming a distinguished name from CA 1 and the same
sequence of names forming the same distinguished name from a CA 2 do
not necessarilly need to point to the same entity. So the name of
the CA has to be used in addition to every DN in order to make the
difference. In other words, if two DNs from two different CAs are
identical, this does not mean that the two entities are necessarilly
identical. This was supposed to be true, ten years ago, when the
Directory (with a capital D) was defined, but this is no more the
case today.

Now let us make the assumption that we introduce an explicit naming
domain information (or naming authority information) in some form of
name. Note that this topic does not apply only to the permanent
identifier but could apply as well to the DN: this is why it should
be discussed on a different thread. 

As a conclusion, this particular aspect should be discussed on a
separate thread (I have called it "Global unique identifier" but you
may use any other name you prefer, as long as it is not "permanent
identifier").

Denis
 

> Denis,
> <snip>
> >Please, do not make the story more complicated than requested. The
> >permanent identifier is a name of the subject, unique within the
> >issuer domain, that is not reused over time for another subject. The
> >name is only unique within the issuer domain (i.e. CA). Making the
> >name unique across different CAs would break the current PKIX model.
> 
> The requirement stated by Tom is very valid (I have raised it on this list
a countless number of times)
> and applies 100% to what is supposed to be happening any old day here in
Sweden.
> I.e. a number of competing CAs issue certificates to a Naming Domain they
do not govern themselves.
> These identity certificates are supposed to be totally interchangeable as
their physical counterparts
> have been the last 30 years or so.  By the use of a permanent ID and
(implicit) naming domain.
> 
> I.e. any improvement or addition to QC must address the naming domain
question as well.
> Or as Tom prefers.  The naming authority.
> 
> Anders

Follow-Ups:
- Re: Global unique identifier
  - From: Denis Pinkas

Prev by Date: Newsletter on Internet voting, privacy and security issues
Next by Date: RE: Global unique identifier
Previous by thread: Re: Global unique identifier
Next by thread: Re: Global unique identifier
Index(es):
- Date
- Thread