[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Permanent identifiers in QC

To: Russ Housley <housley@xxxxxxxxxx>, "'Stephen Kent'" <kent@xxxxxxx>
Subject: RE: Permanent identifiers in QC
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Wed, 26 Apr 2000 00:57:35 +0200
Cc: "'tgindin@xxxxxxxxxx'" <tgindin@xxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

Folks, I've been sort of off-line the last days.

So as caching up with this thread I think we need to decide the progress of
this issue.

I would just want to add an observation regarding NR and Authentication.
The issue is NOT whether permanent identifiers are of value for
Authentication or NR. What IS an issue is whether it is relevant for NR to
be able to compare 2 names in 2 different certificates and ensure that these
certificates identifies the same person EVEN if some parts of the DN is not
matching.

This particular aspect is only raised as a feature for access control (when
an entity changes his certificate, or possesses several certificates with
different DN). In the case of NR and legal signatures, the only issue is to
establish the relation between a certificate and the individual key holder
(regardless of other certificates). Here the current profile provides the
necessary means.

But....

Regardless of this I agree with Steve that this issue should be advanced on
it's own and merged later if it's found relevant to do so.

I would therefore request the QC profile to be advanced in it's current
shape (except for a minor noted update in the reference list).

Steve:
How do we proceed.

/Stefan

> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Friday, April 14, 2000 4:36 PM
> To: Stephen Kent
> Cc: tgindin@us.ibm.com; ietf-pkix@imc.org
> Subject: Re: Permanent identifiers in QC
> 
> 
> I agree with Steve.  Note that the CAT Working Group has defined an 
> OTHER-NAME for Kerberos names.
> 
> Russ
> 
> 
> At 02:02 PM 04/13/2000 -0400, Stephen Kent wrote:
> >Tom,
> >
> >I have no problems with the sorts of IDs you proposed in your ASN 
> >GeneralName Other-Name examples. They seem to be consistent with the 
> >arguments that Denis has made for such constructs. However, 
> before we add 
> >these to the updated part 1, I think we need more time to 
> explore the 
> >utility for these name forms.  The debate on the list shows 
> that there are 
> >widely diverse opinions about what such IDs are good for, 
> what scope is 
> >feasible/appropriate, etc.  I'd hesitant to hold up progress on the 
> >revision to 2459 to add this sort of facility which has been 
> proposed only 
> >recently.  That's why several folks have suggested a separate, small 
> >document whoch can be advanced separately, and merged into 
> 2459 if there 
> >is sufficient, consistent support.
> >
> >Steve
>

Follow-Ups:
- Re: Permanent identifiers in QC
  - From: Denis Pinkas

Prev by Date: CA process
Next by Date: Negative Integers & ASN.1
Previous by thread: Global unique identifier
Next by thread: Re: Permanent identifiers in QC
Index(es):
- Date
- Thread