[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can we form certificates with just name and e-mail address

To: "Christopher Williams" <ccwilliams@xxxxxxxxxxxx>
Subject: Re: Can we form certificates with just name and e-mail address
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 16 Jun 2000 14:13:47 -0400
Cc: "PKIX Mailing List" <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <><>

Christopher,

You put your common name (or given name + surname) in the SubjectName field
and your e-mail address in the rfc822Name field in a SubjectAlternativeName
field extension.  I don't think that it is too important if the SubjectName
is not unique; the combination of SubjectName and SerialNo has to be unique.

We have had this discussion in this list. The decision was that if you're going to use a DN field (subject name or a directory name as an alt name) then the contents should be "reasonable" in a directory context. That's why, when Denis Pinkas proposed a name form built from DN attributes but not consistent with real directory use, he agreed to define a new data type for it. The bottom line is that just because a name is constructed from directory attributes, that does not make it a reasonable DN.

Alternatively, you can leave the SubjectName field blank (unusual but the
standard permits it) and put your common name in a directoryName field in
your alternative name and your e-mail address in an rfc822Name.  While
you're at it, why not include the URL of your homepage in a uRI field!
Remember that a SubjectAlternativeName is type GeneralNames, which means it
can have any number of elements.

But, it is still of type DirectoryName and thus should be a name suitable for use in a directory, as noted above.

On the subject of alternative names, what exactly is an ediPartyName,
anybody?  I know that EDI stands for "Electronic Data Interchange" but I
don't know anything more.

I always assumed the EDI folks have really exclusive parties and never invite the rest of us.

Also, I have to say that I think it's crazy that your e-mail address has to
go into an extension, or can only be placed in the name field by means of a
(deprecated) kludge.  In a world context, your e-mail address is as
important (at least) as your X-500 characteristics.  If I get a personal
certificate, I don't have an "organization" or an "organizational unit"  -
it's just me.

I agree that having a cert with an alt subject name that is JUST an RFC822 name would be fine. Your comments re O and OU are correct, but perhaps you are missing some context here. The directory distinguishes between organizational persons and residential persons. The latter don't contain an O or OU attribute.

Steve

Follow-Ups:
- Re: Can we form certificates with just name and e-mail address
  - From: Stefan Santesson

References:
- Can we form certificates with just name and e-mail address
  - From: Stefan Santesson
- Re: Can we form certificates with just name and e-mail address
  - From: Christopher Williams

Prev by Date: Re: Do people have something against RSA?
Next by Date: Re: Do people have something against RSA?
Previous by thread: Re: Can we form certificates with just name and e-mail address
Next by thread: Re: Can we form certificates with just name and e-mail address
Index(es):
- Date
- Thread