[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don'tusing Permanent Identifier on QC certificates?)

To: Tom Gindin <tgindin@xxxxxxxxxx>
Subject: Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don'tusing Permanent Identifier on QC certificates?)
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 21 Dec 2000 10:15:12 +0100
Cc: Ietf-Pkix <ietf-pkix@xxxxxxx>
References: <>

Tom,


>      Responses below.  One question brought up by this thread is whether QC
> should use PI now that PI has reached a similar point in the cycle.  When
> QC was at draft 3 while PI was brand new, there were reasons not to delay
> QC's for PI's, irrespective of PI's possible usefulness within QC's.  Those
> reasons no longer apply.

QC is now a RFC (Proposed Standard). Maybe it would be nice to add a section in
PI to explain how PI may be used in conjuction with a QC and explain more about
the use of serial number in the DN field from QC. This does not change any of
the basics from PI, but could provide useful information to the reader.

Denis


>      Most of the detailed responses below deal with the question of whether
> there is any reason to make the DN of a governmental assignment authority
> easily distinguishable from that of a private organization acting as an
> assignment authority.
>
>           Tom Gindin
>
> Juan Carlos Perez Aguayo <juancarlos.perez@acepta.com> on 12/20/2000
> 11:57:39 AM
>
> Please respond to <juancarlos.perez@acepta.com>
>
> To:   "Robert Moskowitz" <rgm-sec@htt-consult.com>
> cc:   "Ietf-Pkix" <ietf-pkix@imc.org>
> Subject:  National Identifier into Serial Number or SubjectAltName? (Was:
>       Why don't using Permanent Identifier on QC certificates?)
>
> May be isn't a good idea to incorporate Permanet Identifier into a QC, as
> Anders Rundgren did say to me:
>
> "...If you use QC DN must be unique so you really do not have an
> alternative
> but keep SerailNymber
> and insert a redundant SerialNumber in a PI entry.
>
> That's why I think PI is wrong. ..."
>
> My principal concern is about how to incorporate a national ID into a
> certificate, in a interoperable fashion.
>
> I don't know how many countries has National IDs, and if is desired that
> such ID could be to incorporated into a digital certificate, but in my
> country (CHILE) so happen, and I wish to using a standard solution...
>
> I think that QC is a good solution for certificates issued only a physical
> people, and when a require a unique statement of identity
>
> I like PI solution, mainly because I think that "Permanent Identifier" ia a
> separate concept, and should be outer the DN, but I am concern about how
> many support into the PKIX WG the PI has currently. Seem that QC has better
> support today.
>
> I am the Chief Technology Officer of a newly Certification Authority in my
> country (we are currently not in production yet, but soon I hope :) ), and
> I
> am strongly supporting "PKIX standards" for our certificates.
>
> If you are not interested in a discussion on Chilean National IDs and
> certificates, you might skip the
> rest of this message.
>
> In my country , Chile, the Civil Registry Authority issue a unique
> identifier (on a national domain) on birth. This ID is put into a plastic
> "identification card" (and biometrics information is on the card too).
> Every
> citizen has a ID. This ID is used for many transactions: tax pay, obtaining
> bank accounts, voting, ... Then I think that is nice to incorporate this ID
> into a certificate, as a "virtual" identification card (whidauth photo and
> biometrics).
>
> [Tom Gindin] Such an ID would be the most common case of a PI with the
> assignment authority set to C=CL.
>
> The companies must to obtain a ID assigned by the authority too. This ID
> uniquely identify the company into the country.
>
> [Tom Gindin] The only issue in implementing this is what the correct
> assignment authority name would be.  If the ID's are not clearly
> incompatible (a different number of digits or an alpha prefix unique to
> companies, for example), they could not use the same assignment authority
> name.  Do we need to standardize a specific attribute value under a
> geographic unit (whether C, C + ST, C + L, or C + ST + L) to indicate
> organizational ID's while reserving the unqualified geographic unit name
> for personal ID's assigned by the government of that unit, or should the
> government just assign an organization name which will be human-readable
> but will differ between jurisdictions?  There is no obvious X.520 attribute
> to standardize under, nor any in RFC 1274 nor PKCS#9.
>
> Which do you think that is the PI draft future support?
>
> Thanks
>
> Juan Carlos Perez Aguayo
> CTO
> Acepta.com
> juancarlos.perez@acepta.com

References:
- Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don'tusing Permanent Identifier on QC certificates?)
  - From: Tom Gindin

Prev by Date: Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don't using Permanent Identifier on QC certificates?)
Next by Date: Re: Required Algorithms for Certificates
Previous by thread: Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don'tusing Permanent Identifier on QC certificates?)
Next by thread: [no subject]
Index(es):
- Date
- Thread