[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Subject Alternative Name" v/s "Subject/Serial Number"

To the list and the co-chairs,

>From the discussion on the list, due to the lack of a standard, some CAs
have defined private extensions to support the concept of a permanent
identifier.

The two cases advertised to the list are the following:

1) The Australian Government wanted to put the ABN (Australian Business
   Number) (a social security type number for companies) into certificates. 
   They looked into it and decided the best place for it was in a private
   extension. It has its own OID: 1.2.36.1.333.1 and what follows this 
   OID is the 11 or 12 digits ABN number,

2) It was very clear for as that Chile was going to need an OID for the RUN. 
   We registered 1.3.6.1.4.1.8321 as an OID for Chile and reserved 
   1.3.6.1.4.1.8321.1 to be used for RUN. 

In order to avoid/limit the proliferation of such private extensions, or
avoid the use of the serialNumber attribute in a way that is not conformant
to the standards, I believe that it is time to progess the Permanent
Identifier draft (http://www.imc.org/draft-ietf-pkix-pi) that has been
dormant for nearly two years.

The single question is whether this document should be progressed on the
standard track or issued as an informational RFC. I would like to hear the
opinion of the co-chairs of this topic, then I will re-issue the document. 
I think that the standard track would be more appropriate.

Denis

 
> Thanks a lot, I respond between lines...
> 
> >
> > The next two questions are for you:
> >
> > 1) if two certificates *from two different CAs* contain the same RUN
> >    (Rol Unico Nacional) is your intention to be able to say that it is
> >    the same person ?
> 
> Yes, any CA accredited in Chile MUST follow certification practices in order
> to validate de Chilean Unique Identifier (RUN) of each individual certified.
> 
> >
> > 2) after having taken a look at http://www.imc.org/draft-ietf-pkix-pi,
> >    would you think more appropriate in your case to support the notion
> >    of permanent identifier in the DN or in the Subject Alternative Name ?
> >
> 
> I continue thinking It is better to use Subject Alternative Name. After
> reading frc 2459 it was very clear for as that Chile was going to need an
> OID for the RUN. We registered 1.3.6.1.4.1.8321 as an OID for Chile and
> reserve 1.3.6.1.4.1.8321.1  to be used for RUN. Now, any CA to be accredited
> for de government taxes department MUST use it. Here is my certificate as
> example:
> 
> http://varios.acepta.com/ietf/roberto.opazo.cer
> 
> It seems very close with de Unique Identifier recommendations.
> 
> Now some comments for the future RFC...
> 
> I like the argument “you can not take any advantage about one unique
> identifier in the DN”. I think this could be mentioned in “Introduction”.
> 
> Other situation that could be mentioned is “Individuals can have many
> Permanent Identifier and many RP can work with one of then, but others RP
> could be interested in others. For example, the national security code v/s
> the passport number. If people have to administrate more than one
> certificate, usability problems start. So we need to use User Alternative
> Names”.
> 
> In the definition part, I think the rfc should start at the General Names
> syntax of the User Alternative Name, other case it is not clear the manner
> for certificate codification. And also, I do not understand why not to use
> the choice “other name” for Permanent Identifier.
> 
> >
> > Denis
> >
> 
> Best regards,
> 
> Roberto