[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Qualified Certificates and the 43:d IETF Meeting
All,
Last March, a need was identified to disambiguate the DN of the CA to
support differentiation by domain. In addition, a need was identified
to display the entire name to a user.
We looked at X.500 uniqueIdentifier (bitString - with no consistent
translation rules to a printable string); serviceNumber (doesn't really
work with the CA context); the RFC 1274 uniqueIdentifier (defined in '88
syntax and didn't appear to be useful if integrating LDAP) and, finally
the dNQualifer (defined as a printable string).
Based on this evaluation, we chose the DN qualifier.
If any of our assumptions were (or continue to be) incorrect and there
is an alternate solution, please let me know.
>----------
>From: david chadwick[SMTP:d.w.chadwick@iti.salford.ac.uk]
>Sent: Thursday, December 10, 1998 1:04 PM
>To: Russ Housley
>Cc: Stefan Santesson; secstan; ietf-pkix@imc.org
>Subject: Re: Qualified Certificates and the 43:d IETF Meeting
>
>
>
>Russ Housley wrote:
>
>> Nick & Stefan:
>>
>> >>2)The standard attribute dnQualifier could be used instead of
>>serialNumber
>> >>(Th attribute "serialNumber is defined in RFC 2256 as being the serial
>> >>number of a device).
>> >>
>> >
>
>The X.500 standard defines a uniqueIdentifier attribute that might be better
>suited to the semantics than either serial number or dnQualifier.
>David
>
>
>>
>> >Yes, the SN is not in complete harmony regarding its definition and its
>> >use. However several other standardisation proposal has choosen SN for
>> >personal identifiers. The rationale behind that choice have been that most
>> >applications support and displays this attribute in a correct way.
>> >
>> >Is there an installed base using "dnQualifier" ?
>>
>> We include support of dnQualifier.
>>
>> I strongly prefer dnQualifier over serialNumber.
>>
>> Russ
>
>