[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

To: <ietf-pkix@xxxxxxx>
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
From: "Manger, James H" <James.H.Manger@xxxxxxxxxxxxxxxx>
Date: Mon, 19 Jul 2004 15:07:53 +1000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcRpISpRw39Rj0boTiKQ1oDDudjrzgEIUs5Q
Thread-topic: I-D ACTION:draft-ietf-pkix-pi-10.txt

1.
The ability to flag a serialNumber attribute value in the subject name as a permanent identifier is a nice feature.  Requiring that there only be a single serialNumber attribute, however, is unnecessarily restrictive.  It seems quite sensible to use serialNumber attributes to hold company numbers, org unit ids and/or personal identifiers.  For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS 554433", c=US.  The PI extension would refer to 12345.

[Section 2] Change the ASN.1 comment for the identifierValue field of PermanentIdentifier to:
" -- if absent, use the deepest serialNumber attribute value in the subject DN"

[Section 2] Change the paragraph that begins "When the identifierValue field is absent" to:
"When the identifierValue field is absent, then the deepest serialNumber attribute value from the subject DN is the value to be taken for the identifierValue.  An attribute is "deeper" if it occurs later in the sequence of RDNs that make up the DN.  A "deeper" attribute occurs earlier in the string representation of a DN [RFC2253], which start encoding the last element of the RDN sequence that makes up a DN and moves backwards towards the first.  The PermanentIdentifier SHALL NOT be used if there is no serialNumber attribute in the subject DN.



2.
Why can't the assigner field be present but the identifierValue field be absent (refer to the serialNumber attribute)?  An absent identifierValue is simply "shorthand" to avoid duplicating a value -- it doesn't really have any sematic value so shouldn't have any impact on the assigner field (or vice versa).



3.
The security considerations section mentions an identifierType field that no longer exists.


> ----------
> From: 	Internet-Drafts@xxxxxxxx [mailto:Internet-Drafts@xxxxxxxx] 
> Sent:	Wednesday, 14 July 2004 6:05 AM
> 
> 	Title		: Internet X.509 Public Key Infrastructure Permanent Identifier
> 	Author(s)	: D. Pinkas, T. Gindin
> 	Filename	: draft-ietf-pkix-pi-10.txt
> 	Date		: 2004-7-13
> 	
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
> 
> 	----------
> 	From: 	Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] 
> 	Sent:	Thursday, 15 July 2004 6:06 PM
> 	Cc:	ietf-pkix@xxxxxxx
> 
		... the definition of the PI has been changed to allow to use the serialNumber attribute from the subject DN.

Follow-Ups:
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
  - From: Denis Pinkas
- Re: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
  - From: Anders Rundgren

Prev by Date: Re: I-D ACTION:draft-ietf-pkix-pi-10.txt
Next by Date: Re: Request: Send me signed messages
Previous by thread: forwarding
Next by thread: Re: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Index(es):
- Date
- Thread