[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509 certificate and its subject name field
- To: Shyh-Wei Luan <luan@xxxxxxxxxxxxxxx>
- Subject: Re: X.509 certificate and its subject name field
- From: Stephen Kent <kent@xxxxxxx>
- Date: Wed, 28 May 1997 09:34:43 -0400
- Cc: ietf-pkix <ietf-pkix@xxxxxxxxxx>, ssl-talk <ssl-talk@xxxxxxxxxxxx>
- In-reply-to: <>
- References: Stephen Kent <kent@bbn.com> "Re: X.509 certificate andits subject name field" (May 27, 1:46pm) Stephen Kent <kent@bbn.com> "Re: X.509 certificate and its subject name field" (May 23 5:12pm) <> <>
Shyh-Wei,
Is the Subject UID globally unique? I don't recall the spec
providing an algorithm for ensuring such uniqueness across all CAs. My
recollection was that the SUID was intended to be used in conjunction with
the Subject DN to increase the likelihood that the combination of the two
would be unique, but it still would not be a guarantee. That's why there
also is an Issuer UID, suggesting the need to check both the Issuer and
Subject DNs and UIDs all the way along a chain to ensure uniqueness in the
context of DNs that are not temporially unique. That makes for some very
ugly ACL entries!
As for corporate mergers, those would change the Issuer DNs at some
point, at least for a company that was absorbed, and thus all the user
certs would need to be reissued and ACLs updated. If the companies merge
to form a newly named entity, then everyone gets a new cert, and all the
ACLs need to be fixed, as none of the old entriesd will match any of the
new names.
Steve