[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard

To: iesg@xxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
From: Francois Leclerc <leclerc@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Aug 1998 12:20:45 -0500
Organization: Schlumberger APC
References: <199808071239.IAA09637@ietf.org> <35D37F92.237F7B02@austin.apc.slb.com> <>
Reply-to: fleclerc@xxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Tim, Steve,

thank you for your answers. I won't talk about UID & emailAddress anymore.
I'd like to get your opinion on a last change : 

Should, for interoperability sake, "a serial number, where the number is an employee ID" be part of the PKIX part 1 DNs ( X.520 serialNumber
? 
X.520 uniqueIdentifier ?) or is it the purpose of X.520 dnQualifier, 
mentioned in the PKIX part 1 ?

I'm trying to understand how business A employees & services can deal with 
business B employees, if the COTS applications and CAs do not provide means 
to parse business B DNs, in particular the "serial number, where the number 
is an employee ID". Hence my insistance on this topic. I have never used COTS
(common off the shelf) applications and CAs using X.520 serialNumber, 
X.520 uniqueIdentifier or X.520 dnQualifier in a DN. I'm looking forward to
be PKIX 1 compliant, and ask the same to my PKI software/service providers.

The "serial number, where the number is an employee ID" is different from the serial number of the certificate issued by the CA (4.1.2.2 in
the draft), if I needed to precise my thoughts.

Regards,
--francois

Stephen Kent wrote:
...
> >Our needs analysis show that in a 50000+ world-wide corporation, a
> >personal rdn is not an easy task to perform :
> >
> >-cn is not sufficient as too many homonyms exist
> >-location & country are inadequate for a mobile workforce
> >as they create a high burden on the CA as people move.
...
> >-access controls force to have personal company identifiers which are
> >never reused by new employees.
> 
> Large organizations I am familair with tend to use a terminal RDN that is a
> set consisting of a common name and a serial number, where the number is an
> employee ID.  That makes use of existing data that is usually employed to
> differentiate among employees, e.g., for payroll purposes.  User login
> names are often NOT globally unique, e.g., they need only be system unique.
> 
> Steve

-- 
Francois Leclerc		SCHLUMBERGER Austin Product Center
Associate Research Scientist	 8311 North F.M 620 Road
Fax: 1 512 331-3760	 	Austin, Texas 78726 USA
Tel: 1 512 331-3133  fleclerc@slb.com or leclerc@austin.apc.slb.com

References:
- Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
  - From: Stephen Kent

Prev by Date: RE: ldapv2-schema and CA Certificates
Next by Date: RE: ldapv2-schema and CA Certificates
Previous by thread: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
Next by thread: ETS Project on time-stamping
Index(es):
- Date
- Thread