Re: X.509 certificate and its subject name field

["Shyh-Wei Luan" <luan@xxxxxxxxxxxxxxx>]

Steve,

On May 28,  7:20pm, Stephen Kent wrote:
>       - DNs are unique, by definition.  the set of attributes used to
> define DNs in some context is determined by the CA, using well-defined
> attribute types.  if you want a closed system, you can do anything you
> like, but your comments are addressed toward an open, interoperable system.

I don't know how you derived the conclusion that using a per-CA Unique Subject
ID makes it a closed system.  I would say this approach puts things in a better
context.  Say, if I am registered with IBM's CA as employee number 123456 and
I am authorized by hundreds of ACL's inside and outside IBM over a number of
years.  It would be better if the ACL's use a (123456,CA=IBM) entry than a
(IBM/Research/Almaden/Shyh-Wei Luan,123456) entry.  The latter would
require me to request the change of all the ACL entries when I change my name
(say, if I get an English name) or if I change a department.   The former
ACL entry can be annotated with the directory name (or any other name) for the
ease of browsing and management and the annotation can be refreshed
periodically
by the ACL managers.  I don't have to remember where these ACL's are, and the
timeliness of the changes of the annotations is not critical.

Shyh-Wei