[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Can we form certificates with just name and e-mail address

To: Stefan Santesson <stefan@xxxxxxxxxxx>, Stephen Kent <kent@xxxxxxx>
Subject: RE: Can we form certificates with just name and e-mail address
From: Michael Zolotarev <mzolotarev@xxxxxxxxxxxxx>
Date: Mon, 19 Jun 2000 14:44:12 +1000
Cc: PKIX Mailing List <ietf-pkix@xxxxxxx>

Sorry, but I'm not quite getting what is so problematic with what
Christopher and Oscar proposed:

What really stops me from leaving Subject field empty, and including BOTH my
e-mail address (as RFC822name) and my name/surname as a proper(!)
DirectoryName into SubjectAltName field?
 
I believe that the root of the problem is in [mis]interpretation of the
"uniqueness of the name" requirement. The document says in (4.1.2.6
Subject):
-------------
   Where it is non-empty, the subject field MUST contain an X.500 dis-
   tinguished name (DN). The DN MUST be unique for each subject entity
   certified by the one CA as defined by the issuer name field. A CA may
   issue more than one certificate with the same DN to the same subject
   entity.
--------------
This is what Stefan was referring to, right?

However, there is NO such uniqueness requirement for the DN included into
the SubjectAltName. Or I've missed one. So I do not see a problem with
having a SubjectAltName containing non_unique DN, as long as the rest of the
information in the extension makes it unique.

Regards
Michael


> -----Original Message-----
> From: Stefan Santesson [mailto:stefan@accurata.se]
> Sent: Monday, June 19, 2000 8:44 AM
> To: Stephen Kent
> Cc: PKIX Mailing List
> Subject: Re: Can we form certificates with just name and 
> e-mail address
> 
> 
> Steve,
> 
> <snip>
> At 14:13 2000-06-16 -0400, you wrote:
> >Christopher,
> >
> >>You put your common name (or given name + surname) in the 
> SubjectName field
> >>and your e-mail address in the rfc822Name field in a 
> SubjectAlternativeName
> >>field extension.  I don't think that it is too important if 
> the SubjectName
> >>is not unique; the combination of SubjectName and SerialNo 
> has to be unique.
> >
> >We have had this discussion in this list.  The decision was 
> that if you're 
> >going to use a DN field (subject name or a directory name as 
> an alt name) 
> >then the contents should be "reasonable" in a directory 
> context.  That's 
> >why, when Denis Pinkas proposed a name form built from DN 
> attributes but 
> >not consistent with real directory use, he agreed to define 
> a new data 
> >type for it.  The bottom line is that just because a name is 
> constructed 
> >from directory attributes, that does not make it a reasonable DN.
> Rest deleted ....
> 
> So I guess you confirm my conclusion that givenName + surname in the 
> subject field, or as a directory name in alt name, does NOT 
> by itself form 
> a reasonable DN. Especially since there will be duplicate names.
> 
> So the only thing left seams to be putting the names in 
> SubjectDirectoryAttributes but I have problems/thoughts with that:
> 
> 1) What will the current installed base of products say about that?
> 2) The latest X.509 version implies that attributes stored in the 
> SubjectDirectoryAttributes are primary for authorization and 
> not part of 
> the subjects name.
> 
> It seams that we have no where to go.
> 
> Why can't an e-mail address be part of a reasonable DN? (I 
> guess that's 
> what the current text implies)
> 
> /Stefan
>

Follow-Ups:
- RE: Can we form certificates with just name and e-mail address
  - From: Stephen Kent

Prev by Date: Re: Can we form certificates with just name and e-mail address
Next by Date: Re: Do people have something against RSA?
Previous by thread: Re: Can we form certificates with just name and e-mail address
Next by thread: RE: Can we form certificates with just name and e-mail address
Index(es):
- Date
- Thread