[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can we form certificates with just name and e-mail address

To: Stefan Santesson <stefan@xxxxxxxxxxx>
Subject: Re: Can we form certificates with just name and e-mail address
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 19 Jun 2000 15:12:51 -0400
Cc: "PKIX Mailing List" <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <><><><>

Stefan,

Steve,

<snip>
At 14:13 2000-06-16 -0400, you wrote:
Christopher,
You put your common name (or given name + surname) in the SubjectName field
and your e-mail address in the rfc822Name field in a SubjectAlternativeName
field extension.  I don't think that it is too important if the SubjectName
is not unique; the combination of SubjectName and SerialNo has to be unique.
We have had this discussion in this list. The decision was that if you're going to use a DN field (subject name or a directory name as an alt name) then the contents should be "reasonable" in a directory context. That's why, when Denis Pinkas proposed a name form built from DN attributes but not consistent with real directory use, he agreed to define a new data type for it. The bottom line is that just because a name is constructed from directory attributes, that does not make it a reasonable DN.
Rest deleted ....

So I guess you confirm my conclusion that givenName + surname in the subject field, or as a directory name in alt name, does NOT by itself form a reasonable DN. Especially since there will be duplicate names.

Right.

So the only thing left seams to be putting the names in SubjectDirectoryAttributes but I have problems/thoughts with that:

1) What will the current installed base of products say about that?

I don't know.  Many would probably ignore attributes in that extension.

2) The latest X.509 version implies that attributes stored in the SubjectDirectoryAttributes are primary for authorization and not part of the subjects name.

Right again.

It seams that we have no where to go.

Why can't an e-mail address be part of a reasonable DN? (I guess that's what the current text implies)

The argument is that a DN is the name of an entry in the DIT. One would not create a schema where a e-mail address was tacked onto the end of an otherwise good DN. It would create an additional layer of the tree that served no purpose, as it dangles under the real user entry. An e-mail address is an alternative way of identifying an entity. Thus it is a perfectly fine attribute for a directory entry, but it makes no sense as an added attribute in a DN.

Steve

Follow-Ups:
- Re: Can we form certificates with just name and e-mail address
  - From: Stefan Santesson

References:
- Re: Can we form certificates with just name and e-mail address
  - From: Christopher Williams
- Can we form certificates with just name and e-mail address
  - From: Stefan Santesson
- Re: Can we form certificates with just name and e-mail address
  - From: Stefan Santesson

Prev by Date: Re: Can we form certificates with just name and e-mail address
Next by Date: RE: Can we form certificates with just name and e-mail address
Previous by thread: Re: Can we form certificates with just name and e-mail address
Next by thread: Re: Can we form certificates with just name and e-mail address
Index(es):
- Date
- Thread