[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
- To: fleclerc@xxxxxxx
- Subject: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
- From: Stephen Kent <kent@xxxxxxx>
- Date: Fri, 14 Aug 1998 15:15:17 -0400
- Cc: ietf-pkix@xxxxxxx
- In-reply-to: <>
- References: <199808071239.IAA09637@ietf.org><35D37F92.237F7B02@austin.apc.slb.com>
- Sender: owner-ietf-pkix@xxxxxxx
Francois,
>As the PKIX group considered to put as mandatory the RFC1274 attribute
> userid & PKCS 9 emailAddress ?
>Could a rationale be put why the PKIX group exclude them from the pool
>of commonly used attributes , subject to standardization ?
>
>9.3.1. Userid
>
> The Userid attribute type specifies a computer system login name.
>
> userid ATTRIBUTE
> WITH ATTRIBUTE-SYNTAX
> caseIgnoreStringSyntax
> (SIZE (1 .. ub-user-identifier))
> ::= {pilotAttributeType 1}
>
>Our needs analysis show that in a 50000+ world-wide corporation, a
>personal rdn is not an easy task to perform :
>
>-cn is not sufficient as too many homonyms exist
>-location & country are inadequate for a mobile workforce
>as they create a high burden on the CA as people move.
>-people are attached to a location independant SMTP email address
>while employed for continuity of business.
>-access controls force to have personal company identifiers which are
>never reused by new employees.
Large organizations I am familair with tend to use a terminal RDN that is a
set consisting of a common name and a serial number, where the number is an
employee ID. That makes use of existing data that is usually employed to
differentiate among employees, e.g., for payroll purposes. User login
names are often NOT globally unique, e.g., they need only be system unique.
Steve