Re: X.509 certificate and its subject name field

[Stephen Kent <kent@xxxxxxx>]

Marc,

I'm very puzzled by some of your comments:

	- DNs are unique, by definition.  the set of attributes used to
define DNs in some context is determined by the CA, using well-defined
attribute types.  if you want a closed system, you can do anything you
like, but your comments are addressed toward an open, interoperable system.

	- if you don't put the whole DN in the ACL entry, then you are not
ensured of uniqueness, since no sequence of RDNs is guaranteed to be
unique, at least not in an open system.  duplicate RDNs may well arise
under different CAs, so it would seem imprudent to use them as ACL entries.

	- if it's an open system, and you are creating ACL entries for
users under the auspices of other CAs, then you must be prepared to have
these CAs use various attributes and naming schema for the DNs, which will
affect the ACL code

	- the Subject UID field is OPTIONAL in the X.509 v2/3 specs.   an
open system, basing an ACL design on them, irrespective of the management
vulnerabilities I alluded to earlier, seems inconsistent with the status of
these fields as OPTIONAL.

Base on these observations, I'm not sure I understand how interoperability
is enhanced by the proposed use of Subject UIDs.

Steve