Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don'tusing Permanent Identifier on QC certificates?)

["Tom Gindin" <tgindin@xxxxxxxxxx>]

     Responses below.  One question brought up by this thread is whether QC
should use PI now that PI has reached a similar point in the cycle.  When
QC was at draft 3 while PI was brand new, there were reasons not to delay
QC's for PI's, irrespective of PI's possible usefulness within QC's.  Those
reasons no longer apply.
     Most of the detailed responses below deal with the question of whether
there is any reason to make the DN of a governmental assignment authority
easily distinguishable from that of a private organization acting as an
assignment authority.

          Tom Gindin


Juan Carlos Perez Aguayo <juancarlos.perez@acepta.com> on 12/20/2000
11:57:39 AM

Please respond to <juancarlos.perez@acepta.com>

To:   "Robert Moskowitz" <rgm-sec@htt-consult.com>
cc:   "Ietf-Pkix" <ietf-pkix@imc.org>
Subject:  National Identifier into Serial Number or SubjectAltName? (Was:
      Why don't using Permanent Identifier on QC certificates?)



May be isn't a good idea to incorporate Permanet Identifier into a QC, as
Anders Rundgren did say to me:

"...If you use QC DN must be unique so you really do not have an
alternative
but keep SerailNymber
and insert a redundant SerialNumber in a PI entry.

That's why I think PI is wrong. ..."

My principal concern is about how to incorporate a national ID into a
certificate, in a interoperable fashion.

I don't know how many countries has National IDs, and if is desired that
such ID could be to incorporated into a digital certificate, but in my
country (CHILE) so happen, and I wish to using a standard solution...

I think that QC is a good solution for certificates issued only a physical
people, and when a require a unique statement of identity

I like PI solution, mainly because I think that "Permanent Identifier" ia a
separate concept, and should be outer the DN, but I am concern about how
many support into the PKIX WG the PI has currently. Seem that QC has better
support today.

I am the Chief Technology Officer of a newly Certification Authority in my
country (we are currently not in production yet, but soon I hope :) ), and
I
am strongly supporting "PKIX standards" for our certificates.

If you are not interested in a discussion on Chilean National IDs and
certificates, you might skip the
rest of this message.

In my country , Chile, the Civil Registry Authority issue a unique
identifier (on a national domain) on birth. This ID is put into a plastic
"identification card" (and biometrics information is on the card too).
Every
citizen has a ID. This ID is used for many transactions: tax pay, obtaining
bank accounts, voting, ... Then I think that is nice to incorporate this ID
into a certificate, as a "virtual" identification card (whidauth photo and
biometrics).

[Tom Gindin] Such an ID would be the most common case of a PI with the
assignment authority set to C=CL.

The companies must to obtain a ID assigned by the authority too. This ID
uniquely identify the company into the country.

[Tom Gindin] The only issue in implementing this is what the correct
assignment authority name would be.  If the ID's are not clearly
incompatible (a different number of digits or an alpha prefix unique to
companies, for example), they could not use the same assignment authority
name.  Do we need to standardize a specific attribute value under a
geographic unit (whether C, C + ST, C + L, or C + ST + L) to indicate
organizational ID's while reserving the unqualified geographic unit name
for personal ID's assigned by the government of that unit, or should the
government just assign an organization name which will be human-readable
but will differ between jurisdictions?  There is no obvious X.520 attribute
to standardize under, nor any in RFC 1274 nor PKCS#9.

Which do you think that is the PI draft future support?

Thanks

Juan Carlos Perez Aguayo
CTO
Acepta.com
juancarlos.perez@acepta.com