Re: X.509 certificate and its subject name field

[David Boyce <D.Boyce@xxxxxxxxx>]

Stephen Kent writes:

>	Is the Subject UID globally unique?  I don't recall the spec
>providing an algorithm for ensuring such uniqueness across all CAs.  My
>recollection was that the SUID was intended to be used in conjunction 
with
>the Subject DN to increase the likelihood that the combination of the 
two
>would be unique, but it still would not be a guarantee.

In the absence of a single global name space for Subject DNs, ensuring 
this uniqueness remains a problem, and SUID doesn't help much.  But it 
does help in the case where two names clash in the same local name 
space;  ensuring uniqueness is then a local administration problem.

>  That's why there
>also is an Issuer UID, suggesting the need to check both the Issuer and
>Subject DNs and UIDs all the way along a chain to ensure uniqueness in 
the
>context of DNs that are not temporially unique.  That makes for some 
very
>ugly ACL entries!

I believe that the IUID has no such connection with the SUID as you 
imply;  it is there primarily to provide completeness (against the very 
unlikely occasion that a second CA with the same DN starts issuing 
certs ... the IUID would provide a distinction in the same way that 
SUID distinguishes Subjects with the same DN).

And yes, where UIDs are being used, they should be checked!

David Boyce.
-- 
David Boyce

Tel:	+44 181 332 9091		Richmond, Surrey, ENGLAND
I'net:	d.boyce@isode.com	Isode's WWW: http://www.isode.com/
X.400:	I=d;S=boyce;P=isode;A=mailnet;C=fi;