Re: OCSP I-Ds going forward

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

Peter,

You are, of course, correct.  I'm just surprised to see an ideological
principle being articulated by a pragmatist such as yourself.

One problem, even within a centrally-administered PKI such as the DoD's,
is that there are advocates for putting local (non-unique) distinguished
names in certificates.  Unfortunately, what are two local contexts one
month can become a single context with colliding DNs the next, so if a
PKI is to remain un-broken when that happens, it must ensure not only
its own name uniqueness but the uniqueness of all other PKIs with which
any RP might expect it to interoperate.

X.509 provides the tools (name constraints) to enforce uniqueness across
cooperating but independent PKIs.  But how many of the CAs in just the
Microsoft and Netscape trust lists subscribe to the idea that they
must cooperate to the extent of using DNs only from a global
DIT?  To avoid defective PKIs, there must be a global namespace even
though there will never be a Global Directory.

I can think of only one way that that might happen: require every CA
that wants to join the "Unbroken PKI" to have an RFC 2247 (DC)
distinguished name instead of the old C=x, O=y.

Do you think that's likely to happen?
Do you think there's a different coordination mechanism that's likely
  to happen?
Do you really think OCSP (and S/MIME) should just shrug their shoulders
  and say "not my problem"?


Dave


 

Peter Gutmann wrote:
> 
> Denis Pinkas <Denis.Pinkas@xxxxxxxx> writes:
> 
> >                                             However, two CAs
> >     might have the same DN and be certified under different
> >     branches of a certification tree.
> 
> There is a special name for a PKI of this kind.  It's called "Broken" or
> "Defective".
> 
> It is not the job of OCSP to fix defective PKIs.
>