This means that CAs have little motives for ever dropping their
RFC3039-variant of "PI". And new CAs will likely also follow
RFC3039 due to the same issue.
Since most of these permanent-identifier-using CAs only support
a single name-space (given the non-utility of policy-extensions in
real-world software), the motives for adding the other part of
the PI-information also becomes limited. Particularly as RPs
are equally singular in most cases.
And how are RPs supposed to know when they can drop support
for the RFC3039 way of doing things?
That's why I rather early, suggested that we together, should bring
out another scheme, where high-level PKI objects as constituted by
CA/EE, would be made conformant to the schemes used in most other
parts of the IT-industry, i.e. self-describing to some extent.
Such a scheme would be a true companion to RFC3039 instead of a
"competitor" regarding "where to stuff identify information".
====================================================
If the Internet had reached the same technical maturity level as PKI
as represented by RFC3280, we would still not have had DNS,
but rather be fully occupied tweaking "hosts" files.
====================================================
Using such a large number is allowed but not strictly needed, since if there
are four people with the attributes DN: CN=John Doe, C=SE then using serial
numbers from 1 to 4 would be sufficient. I do kown that in fact 676767666767
would allow to uniquely identify the individual, but this is not the
semantics of that attribute.
This is though specified as an option in RFC3039 (although the text is
not that well written).
Anders
----- Original Message -----
From: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>
To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Cc: <ietf-pkix@xxxxxxx>; "Stefan Santesson" <stefan@xxxxxxxxxxxxxx>
Sent: Tuesday, March 11, 2003 17:57
Subject: Re: RFC 3039 problems - Was: Re: The IETF 56 - PKIX Agenda
Anders,
Since you asked, here is a short TECHNICAL reply.
Stefan,
The conclusion is that in your opinion there is no problem with
RFC 3039 with regard to this.
Personally I have had a hard time see the problem with this.
This was sorted out many years ago and X.520 as even updated to
clarify that it was appropriate to accommodate this use, i.e. assigning
identifiers to humans. (X.520: "The Serial Number attribute
type specifies an identifier, the serial number of an object. ")
I know this but based on private mails the PI advocates still
think this a bad use of serialNumber. As you probably don't care
about PI you have nothing to worry about.
In case you DO care about PI, please show me how YOU would
apply PI to the following RFC3039 compliant "Swedish" certificate:
DN: CN=John Doe, serialNumber=676767666767, C=SE
serialNumber=676767666767 is used to make the difference between two
entities that otherwise would have the same name, i.e. DN: CN=John Doe, C=SE.
Using such a large number is allowed but not strictly needed, since if there
are four people with the attributes DN: CN=John Doe, C=SE then using serial
numbers from 1 to 4 would be sufficient. I do kown that in fact 676767666767
would allow to uniquely identify the individual, but this is not the
semantics of that attribute.
However placing 676767666767 is the PI (with a Assigner Authority like
"Swedish XXX" defined using an OID) does allow to uniquely identify the
individual, irrespective of its DN.
So there is no contradiction.
Denis
Anders