[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 certificate and its subject name field

To: dpkemp@xxxxxxxxxxxxxx (David P. Kemp), ietf-pkix@xxxxxxxxxx
Subject: Re: X.509 certificate and its subject name field
From: Hal Lockhart <hal@xxxxxxxxxxx>
Date: Thu, 05 Jun 1997 15:28:29 -0400

At 01:04 PM 6/5/97 -0400, David P. Kemp wrote:

>I'm not sure what version skew issues you are referring to.

Perhaps I was misinformed.

>> Sure.  How about "CN=John Smith"
>
>And why is that not a perfectly legal Distinguished Name?  It certainly
>complies with the ASN.1 definition of DN.

Well I guess I am out of my depth here, but it was my understanding that
while DNs and RND sequences have the same syntax, they have different semantics.

In the course of the recent thread on whether SubjectUID is needed or not, a
number of people all said things like "of course the name is a DN and
therefore will be unique (unambigous)" and nobody contradicted them.  

>What is your definition of a "subject"?  The tautological definition of
>"the entity referred to by the subjectName field of a certificate" isn't
>useful - it's always unique "per subject".

Oh no, you can't get me with that one.  I am well aware that the "what is a
subject?" discussion is non-terminating.

>If you believe that a single issuer should not create more than one
>subjectName to refer to a particular flesh-and-blood human, I disagree
>with that requirement also.  I as a human may want two different DNs
>to refer to two different roles that I perform.

Obviously it is the converse case I am interested in.

Look, I apologize if I am the only one on this list who doesn't "get it",
but I am trying to ask serious questions about what the specification
specifies and what it does not specify.

Suppose I am going to make an authorization decision.  To do so, one of the
things I have to determine is the "subject."  It seems to me that my notion
of what a subject is has to match that of the certificate issuer. 

Does the spec tell me what fields I need to check to (unambigiously)
determine the identity of the subject?  Or is that up to me?

Is the CA free to put anything it likes in the subject name field as long as
the syntax is right and it follows its own published policies?

Hal
=================================================================
Harold W. Lockhart Jr.            PLATINUM technology, Inc.
Chief Technical Architect         8 New England Executive Park
Email: hal@platsol.com            Burlington, MA 01803 USA
Voice: (617)273-6406              Fax: (617)229-2969
=================================================================

Prev by Date: Re: Globally unique subjectUID?
Next by Date: Re: X.509 certificate and its subject name field
Previous by thread: Re: X.509 certificate and its subject name field
Next by thread: Re: X.509 certificate and its subject name field
Index(es):
- Date
- Thread