[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 certificate and its subject name field

To: Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>
Subject: Re: X.509 certificate and its subject name field
From: "E. Gerck" <lasertec@xxxxxxxxxxxxx>
Date: Wed, 28 May 1997 13:42:27 -0300 (EST)
Cc: Shyh-Wei Luan <luan@xxxxxxxxxxxxxxx>, kent@xxxxxxx, ietf-pkix@xxxxxxxxxx, ssl-talk@xxxxxxxxxxxx
In-reply-to: <>

Commenting on the points below, the main problem here comes from a need to
have a hierarchy or linked-list type of situation which essentially
represents an external reference frame. You must have an external
reference frame as current certification procedures go -- with any of
them. 

This external reference, even if it is v-e-r-y flat with just one level 
directly linked to a root-key (which is neither practical nor usual) has 
an internal hierarchy of level one versus level zero (the root-key).

So, the solution is not changing to SSNs, which does pose not only privacy
problems but risks as well -- the least being junk mail, but changing the 
model.

Meta-Certificates do just that, by allowing certification without external
reference frames -- which is not self-certification of course -- and 
which offers other properties.

This work is being discussed by the MCG, a non-profit open international 
group with 56 people from 16 countries, with www page at

http://novaware.cps.softex.br/mcg.htm

and mirrors (addresses at the page)

Cheers,

Ed Gerck


On Wed, 28 May 1997, Nick Pope wrote:

> In reply to your message of 27 May 97, 19:08:
> 
> One solution is to use a national ID scheme.  In the UK all employed 
> people are given a National Insurance number which is unqiue to them 
> and doesn't change over their lifetime.  There may 
> be however some privacy questions with such a scheme
> 
> Nick Pope
> 
> > Steve,
> > 
> > Let's think what happens during a corporate reorganization, company
> > mergers, or country unifications (:)).   Names and directories may
> > change!  If UID's are embedded in names and if applications do not
> > carve out the UID's for use in authorization decisions/ACL's, then we
> > will have a BIG trouble!  If it is suggested that applications will
> > have to pick up the UID from within the subject name, then it should
> > be made clear in the spec.  But, then how would non-X500 names be
> > dealt with when they are supported???  Why don't we suggest the use of
> > the Subject UID field, then sit back and relax.
> > 
> > On May 27,  1:46pm, Stephen Kent wrote:
> > > Subject: Re: X.509 certificate and its subject name field
> > > Shyh-Wei,
> > >
> > >       I think that, for organizational persons, a second component for
> > > the terminal RDN would usually be something that those managing the local
> > > namespace would see as natural, i.e., it is something like an employee ID
> > > number that has already been assigned and thus is not an arbitrary string
> > > like the Subject UID.
> > 
> > Why can't an employee ID number be used as ths Subject UID, if the ID
> > is never reused?
> > 
> > >
> > >-- End of excerpt from Stephen Kent
> > 
> > 
> > 
> > 
> 
> -------------------------------------
> 
> 
> Security & Standards
> Suite A
> 191 Moulsham St.
> Chelmsford
> Essex
> CM2 0LG
> U.K.
> 
> Tel: +44 1245 495018
> Fax: +44 1245 494517
> 
> 


__________________________________________________________________________
Dr.rer.nat. E. Gerck                             Phone/Fax: +55-19-2429533
egerck@laser.cps.softex.br                   http://novaware.cps.softex.br
P. O. Box 1201   -   CEP 13001-970    -   Campinas    -   SP    -   Brazil

References:
- Re: X.509 certificate and its subject name field
  - From: Nick Pope

Prev by Date: Re: X.509 certificate and its subject name field
Next by Date: Re: X.509 certificate and its subject name field
Previous by thread: Re: X.509 certificate and its subject name field
Next by thread: Re: X.509 certificate and its subject name field
Index(es):
- Date
- Thread