RE: Qualified Certificates and the 43:d IETF Meeting

["secstan" <pope@xxxxxxxxxxx>]

Stefan,

I still have major concerns over this draft in that the naming attributes
used in the subject and issuer are not those used in conventional directory
"distinguished names".  Whilst I recognise that LDAP / X.500 directories are
only one possible means of distributing certificates, the use of qualified
certificates should not make it difficult to use directories for
distributing certificates.

The changes made has moved in the right direction but more could be done to
facilitate a common approach.

More specifically:

1) In 3.1.2, instead of Choice II using surname and firstname, conventions
could be defined for carrying this information in Common Name
(e.g. CommonName =<firstname> <surname>)

2)The standard attribute dnQualifier could be used instead of serialNumber
(Th attribute "serialNumber is defined in RFC 2256 as being the serial
number of a device).

3) postalAddress is more appropriate as an additional subjectAttribute (see
next comment) rather than a naming attribute.

4) In 3.2.1 it is suggested that the structure PersonalData is added to
SubjectAltName.
This doesn't fit in with the standard syntax which defines this as being
GeneralName
(see PKIX part 1).

The Subject Directory Attributes provides a structure which can be used to
carry the additional information about the subject in a way which fits in
with existing standards.

Hope this helps.

Nick Pope