[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509 certificate and its subject name field
On May 23, 5:12pm, Stephen Kent wrote:
> Subject: Re: X.509 certificate and its subject name field
> Shyh-Wei Luan,
> The reasons you cite are ones that motivated the introduction of the
> Subject and Issuer Unique IDs. However, one can argue that appropriate
> care in managing names can largely avoid this problem. For example, every
> company I know assigns an employee ID (or payroll ID, or whatever)
> specifically to distinguish among folks who are work for the company
> (either at the same time or over some time interval) and who may have the
> same name. If one uses a DN in the Subject field, it would be appropriate
> to make the terminal RDN be a set, consisting of a common name and an
> employee ID number, to do the same thing that the personnel/payroll
> departments figured out years ago. So, for organizational persons, this
> argues against using the Subject UID field.
I agree that one can manage to make the "subject name" field unqiue. My
point is that the guideline/recommendation for the field should be
comprehensibility, simplicity, and functionality (e.g., dividing the name
space through the hierarchy of DNs). Let the Subject UID field address
the uniqueness, be it a timestamp, a serial number, a DCE UUID, or anything
that serves the purpose.
> For many other contexts,
> account numbers are likley to be employed as Subject IDs, and the
> organizations dealing with the certs already know how to manage account
> number rollover (and often will not be using ACLs as one might in a
> distributed system).
It would be very different in my vision of the PKI of a distributed world.
For (a hypothetical) example, Verisign would be in a big trouble if it rolled
over somebody's subject ID and allowed the new customer to access some of the
"Internet assets" of the original owner of the ID. Rolling over ID's
in a constrained environment may be possible, but doing that in an webbed
world may be disastrous.
>-- End of excerpt from Stephen Kent