Re: X.509 certificate and its subject name field

[<luan@xxxxxxxxxxxxxxx> (Shyh-Wei Luan)]

Denis,

Here are some more comments on the proposed changes ...

From: Denis Pinkas <D.Pinkas@frcl.bull.fr>
> 4.1.2.8  Unique Identifiers

>    The subject and issuer unique identifier are intended to handle
>    the possibility of reuse of subject and/or issuer names over time.

>    The subject unique identifier is an integer issued by a
>    certification authority that is unique during the life time of
>    a given certification authority and that is assigned by that
>    certification authority to the entity associated with the public
>    key stored in the subject public key field. It must be identical
>    for each updated certificate issued by a given CA (i.e., the issuer
>    name and the subject unique identifier identify a unique entity).

>    When the subject unique identifier is used, end-entity names may be
>    re-used over time.

>    CAs conforming to this profile should not reuse issuer names.
>    Therefore they should not generate cross-certificates that
>    incorporate a subject unique identifier.

I think it is possible that many companies/organizations will have their own
CA's - not necessarily for certifying its customers but for certifying its
employees/members or its business units for conducting businesses with other
companies or with governments (e.g., regulations, IRS).  CA names will
become a scarce resource in years and need to reused.

Thus I think CA's should also be assigned SUID's by their certifying CA's.

BTW, thanks for putting up the proposal!  I am glad that the long discussion
is getting us somewhere.

Shyh-Wei