[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can we form certificates with just name and e-mail address
- To: Stefan Santesson <stefan@xxxxxxxxxxx>
- Subject: Re: Can we form certificates with just name and e-mail address
- From: Stephen Kent <kent@xxxxxxx>
- Date: Tue, 20 Jun 2000 11:13:52 -0400
- Cc: "PKIX Mailing List" <ietf-pkix@xxxxxxx>
- In-reply-to: <>
- References: <><><><><><>
Stefan,
Steve,
Thank's for useful input. Just to round this up, can you confirm the
conclusion that issuing certificates where subjects are represented
by just e-mail address + givenName + surname (and maybe also
country) is simply not possible.
The name must simply be combined with a serialNumber attribute or
some other information that makes the name (with e-mail address
excluded) a reasonable DN.
Right?
Well, its possible to issue certs with any sort of DN. The question
is what makes sense given the semantics of a DN, not just viewing it
as a string of AVAs irrespective of context. The question I would ask
is what would the directory tree look like given a proposed DN. How
would the tree be distributed and managed? Think about the schema
with those considerations in mind.
For example, if one uses a geopolitical and organizational structure,
which is the common model for DNs, we see lots of reasonable options
for dividing the tree and determining who is responsible for
maintainign what portions of it. On the other hand, if a DN consists
of an e-mail address plus givenname and surname, this seems rather
odd. The e-mail address, as a single attribute, results in a very
broad fan out under the root. (in contrast, if one used DC
attributes, as mentioned recently, one could mimic the structure of
the DNS, which is well suited for separation and distributed
maintenance, as the DNS has shown.) Since e-mail addresses are
already globally unique, what does the given name and surname do for
you, from a tree structure standpoint?
Steve