[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 certificate and its subject name field

To: ietf-pkix@xxxxxxxxxx
Subject: Re: X.509 certificate and its subject name field
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 05 Jun 1997 18:24:03 -0600

Hal Lockhart wrote:

>Does the spec tell me what fields I need to check to (unambigiously)
>determine the identity of the subject?  Or is that up to me?

Clearly and unequivocally, it depends.

What do you consider to make up "identity"?

If all you are concerned about in the subject's DN, that is enough. But what
if someone has the same DN, but two different e-mail addresses, and two
different certificates containing different alternateSubjectNames?

Or maybe someone doesn't use a serialNumber approach to disambiguating the
subject DN, but encodes hair, eye and skin color, weight, height, and a
fingerprint GIF or JPEG image as additional attributes in the certificate?
>
>Is the CA free to put anything it likes in the subject name field as long
as
>the syntax is right and it follows its own published policies?

Yes. The Internet Society has disbanded its army, and has decided not to
declare war on anyone who violates its standards, if any.

In this case, however, there aren't any standards in any case, because the
Internet Architecture Board back in the PEM days never got around to
adopting a specific schema for what would be considered an acceptable RDN
component for a certificate.

So as a CA, you are technically, legally, and morally free to include
anything you want in a certificate, even in a DN. The components don't even
have to be listed in any of the oxymoronic "useful attribute" types defined
in X.520. So feel free to put a JPEG image of your dog in your DN, if you so
desire.

Of course, if you ever try to put this certificate into any kind of a
reasonable,. real life directory and expect to use the DN in the certificate
as the DN for the entry, you may get some flack from the directory
administrator, who thinks it is his job to specify the allowable schemas.
But what the hay, the CA and the directory providers are in separate
organizations, and neither is subservient to the other, so let them agree to
disagree.

Likewise, if you put an obscure, much less proprietary, attribute in your DN
(or anywhere else in the certificate), you may find that lots of software
won't be able to parse or display, much less browse, those attributes, even
if LDAP grows up to the point of handling something more than ASCII. But
that's OK -- we'll put out new ASN.1 definitions every Friday, and everyone
in the world can recompile their browsers and certificate verifiers once a
week to handle the new definitions.

Or you can just wait for Microsoft (or Netscape, or VeriSign, or IBM,  or
Entrust, ...) to take over the world, and just do what they do.  Of course
you won't get much market share that way, but...

Or maybe we can make it a Java problem, and assign someone else to solve it?

Always glad to be of help! :-)

Bob

Prev by Date: Re: Globally unique subjectUID?
Next by Date: Business Model and Architecture for an Open PKCI
Previous by thread: Re: X.509 certificate and its subject name field
Next by thread: Re: X.509 certificate and its subject name field
Index(es):
- Date
- Thread