Re: National Identifier into Serial Number or SubjectAltName? (Was: Why don't using Permanent Identifier on QC certificates?)

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

> I would use a different example:
> 
> C= CL, O= My org, OU = my Unit, CN = Jhon Davis and serial number = 22
> C= CL, O= My org, OU = my Unit, CN = Jhon Davis and serail number = 23
> 
> These two individuals are different. Their names are unique. However, their
> serial numbers no NOT relate to any national identification scheme. The PI could
> suport a national identification scheme or any other identification scheme.
> 
> This means that there exist cases where both the serial number from the DN and
> the PI have some reason to co-exist.

Juan and Denis,

Technically possible solution yes, but inserting disambiguating nonsense serial numbers in the DN when 
you actually have a unique identity number (national or other) seems like a very odd solution. 

For migration purposes CAs will have to continue "to put the identity in the DN" essentially 
until/if PI is built into the heart of all major RP software. The current solution is to use external "mapping 
software" that extract PI-info and supply "naming authority" externally. As the number of CAs that 
a given RP is likely to support/trust is likely to be fairly limited, this makes PI somewhat redundant. 

If PI instead had been targeted to support the existing DN mapping processes instead of creating new 
places to stuff partly redundant identity information (efectively "competing with DN"), it would had been a
nicer option.

Or you can of course use the following semantics: If there is a PI - ignore DN completely.  It should
only be used for "display purposes".  I find this neither compatible with current practice nor with QC.

Anders