Re: X.509 certificate and its subject name field

[Peter Williams <peter@xxxxxxxxxxxx>]

David P. Kemp wrote:

If you assume that IBM goes out of business this year, and next year

> Dave Kemp Enterprises wants to issue certs under the name "ibm.com",
> those two IBMs have to be kept separate in some manner.  Assuming for
> a moment that the lawyers and the PTO agree to allow reuse of the
> IBM name,
>
>   "..., CN=ibm.com" and SUID=1
>
> seems no more effective at designating the real IBM in a name reuse
> scenario than does
>
>   "..., CN=ibm.com + SN=1"
>
> What precisely is the advantage of SUIDs over unique terminal RDN's?

  Reuse of names is controlled by a CA, during its responsible and
reliable
performance of the authentication management process.

Whereas NAs, lawysers and PTO will manage who gets
"o= IBM Co; l=Internet; cn=www.ibm.com", and a CA will do due
diligence and reliable authentication for the party claiming to
be thusly named,...

its a value-added CA service to enable some other party
to, at a subsequent moment, reuse that name, and its
the CA represnetation that name-reuse and change
of authentication has occured. The name, upon validation of reuse,
need not change, as in the SN=2 RDN case.

As is often said, use of this cert, or reliance on the identification
information for access control (including SUID where present)
orotherwise,
transcends the DN name-form, bringing the benefits to other name-forms
of
GeneralName in the critical altSubjectName extension.

To take an example, If I start an new name-form registry provided
for my GeneralNames, for  car vanity number plates "IAMVANE" , when
the plate is re-sold, the plate name should not change. Thats
the whole point!

This does beg a question of which name-form the SUID controls refer if
there are multiple names in the GeneralNames-based extension. There is
no reason why the SUID PDV cannot be a sequence of such controls, that
one might note in the CA technical disclosures constraining use or
reliance.