[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard

To: fleclerc@xxxxxxx
Subject: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
From: Tim Polk <wpolk@xxxxxxxx>
Date: Fri, 14 Aug 1998 11:17:22 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <199808071239.IAA09637@ietf.org><35D37F92.237F7B02@austin.apc.slb.com>
Sender: owner-ietf-pkix@xxxxxxx

Francois,

The PKCS 9 emailAddress is listed as a legacy attribute; the preferred
location for this information is the subject (issuer) alternative name field.

The RFC1274 userid attribute was not proposed by anyone in the working
group, and I've never seen it in a certificate.  This attribute would be
appropriate if the CA wants to bind a certificate to a particular account,
but most certs (so far) are bound to a human subject (rather than a login
account) or a host.  For the binding to a person the common name attribute
is more appropriate.  When binding to a host, without regard to account,
the userid attribute would not be required.

Of course, new applications may emerge that would use that attribute. The
profile permits CAs to use the userid attribute (or any other) if they
desire.  I think that is good enough for Proposed Standard.  If we find
that the userid attribute is widely used in Internet PKIs, we can certainly
add it to the mandatory list when we move to Draft Standard.

Thanks,

Tim Polk

At 09:08 AM 8/14/98 -0500, you wrote:
>Hello,
>
>As the PKIX group considered to put as mandatory the RFC1274 attribute
> userid  & PKCS 9 emailAddress ?
>Could a rationale be put why the PKIX group exclude them from the pool
>of commonly used attributes , subject to standardization ?
>
>9.3.1.  Userid
>
>   The Userid attribute type specifies a computer system login name.
>
>     userid ATTRIBUTE
>         WITH ATTRIBUTE-SYNTAX
>             caseIgnoreStringSyntax
>             (SIZE (1 .. ub-user-identifier))
>     ::= {pilotAttributeType 1}
>
>Our needs analysis show that in a 50000+ world-wide corporation, a
personal rdn is not an easy task to perform :
>
>-cn is not sufficient as too many homonyms exist
>-location & country are inadequate for a mobile workforce
>as they create a high burden on the CA as people move.
>-people are attached to a location independant SMTP email address
>while employed for continuity of business.
>-access controls force to have personal company identifiers which are
never reused by new employees.
>
>Looking forward to reading you,
>--francois
>
>
>-- 
>Francois Leclerc		SCHLUMBERGER Austin Product Center
>Associate Research Scientist	 8311 North F.M 620 Road
>Fax: 1 512 331-3760	 	Austin, Texas 78726 USA
>Tel: 1 512 331-3133  fleclerc@slb.com or leclerc@austin.apc.slb.com
>
>

References:
- Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
  - From: Francois Leclerc

Prev by Date: RE: ldapv2-schema and CA Certificates
Next by Date: Re: ldapv2-schema and CA Certificates
Previous by thread: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
Next by thread: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
Index(es):
- Date
- Thread