Re: RFC 3039 problems - Was: Re: The IETF 56 - PKIX Agenda

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Anders,

Since you asked, here is a short TECHNICAL reply.

> Stefan,
>
> > The conclusion is that in your opinion there is no problem with
> > RFC 3039 with regard to this.
>
> > Personally I have had a hard time see the problem with this.
> > This was sorted out many years ago and X.520 as even updated to
> > clarify that it was appropriate to accommodate this use, i.e. assigning
> > identifiers to humans. (X.520: "The Serial Number attribute
> > type specifies an identifier, the serial number of an object. ")
>
> I know this but based on private mails the PI advocates still
> think this a bad use of serialNumber.   As you probably don't care
> about PI you have nothing to worry about.
>
> In case you DO care about PI, please show me how YOU would
> apply PI to the following RFC3039 compliant "Swedish" certificate:
>
> DN: CN=John Doe, serialNumber=676767666767, C=SE

serialNumber=676767666767 is used to make the difference between two 
entities that otherwise would have the same name, i.e. DN: CN=John Doe, C=SE.

Using such a large number is allowed but not strictly needed, since if there 
are four people with the attributes DN: CN=John Doe, C=SE then using serial 
numbers from 1 to 4 would be sufficient. I do kown that in fact 676767666767 
would allow to uniquely identify the individual, but this is not the 
semantics of that attribute.

However placing 676767666767 is the PI (with a Assigner Authority like 
"Swedish XXX" defined using an OID) does allow to uniquely identify the 
individual, irrespective of its DN.

So there is no contradiction.

Denis







> Anders