[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on Qualified Certificates draft (incl. countryName)

To: Stefan Santesson <stefan@xxxxxxxxxxx>, ietf-pkix <ietf-pkix@xxxxxxx>
Subject: Comments on Qualified Certificates draft (incl. countryName)
From: Juergen Walter <Juergen.Walter@xxxxxx>
Date: Mon, 01 Mar 1999 11:35:32 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: DEH information systems GmbH
References: <>
Reply-to: Juergen.Walter@xxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Comments in line. (I have changed the subject name to cover the
content.)

Stefan Santesson wrote:
> 
> All,
> 
> I would like to clarify the scope of the draft.
> 
> It is NOT the intent of the draft to specify how a meaningful identity
> should be composed.

The current draft seems to provide QCs as the elektronic pendant of ID
cards. But we need an electronic pendant of handwritten signatures. This
scope contains legal issues. They must be outside the scope of any
standard. Therefore the draft should address the technical issues of the
electronic pendant of handwritten signatures, i. e. non-repudiation of
origin. Furthermore, the standard should address attribute definitions
suitable for electronic commerce and other applications (e. g.
administration).

> 
> Period.
> 
> It is though the intent of the draft to specify a well defined structure
> within which any useful identity information could be expressed according
> to the issuers and the key holders preferences.

This implies that country name should be OPTIONAL.

> 
> The qualified certificate has two different compartments for subject
> identity information.
> 1) The subject field
> 2) The PersonalData field (stored in subjextAltName extension as a new
> information construct stored under otherNames.)
> 
> The main purpose of the subject field is to hold a "technical name"
> fulfilling all technical requirements that might be imposed on the
> certificate with respect to presence of a unique X.500 type of name. This
> name may or may not be suitable as the subjects preferred legal name
> (unmistakable identity).

I am not a lawyer. But in most circumstances my legal name is Jürgen
Walter (sorry for the umlaut "ü" in advance :-). Whether I sign a
contract in England or in Germany, my handwritten signature is still the
same. No birthday, gender, countryName, residence, ... is included.
After I sign a contract I may be asked for my ID card depending on
relying party´s policy. The electronic pendant may be an attribute
certificate that provides the REQUIRED information. It should be noted
that data protection laws would restrict the usage of QCs in most
countries. Furthermore, some customers may have reservations to give
full identity information by signing data.

> 
> The optional PersonalData field has the main purpose of providing means to
> express a legal name in cases where the subject field is not sufficient for
> this purpose. The advantage of this approach is to free the subject field
> of strange attributes and semantics necessary for expressing the legal name.

The draft should be define attributes which are suitable in public key
certificates and in attribute certificates as well. All these attributes
should be OPTIONAL present in public key certificates. Whether a
particular attribute is present or not, should be a matter of PKI
design.

The PersonalData record includes attributes which are not names like ate
of birth. The encoding altSubjectName|otherNames|PersonalData may be
misleading. 

Is semantics really necessary? There should be an appropriate CPS and/or
certificate policy that may provide sufficiently information about
semantics. Is somebody on the mailing list who plans to implement
semantics?

> 
> So, this debate is about whether the countryName attribute in the subject
> field (the technical name)shall be mandatory or optional. 

I propose it should be OPTIONAL.

>Keep in mind that
> any country information as part of the legal name

I beg to differ. Legal identity rather than legal name. Definitely not
part of handwritten signature.

> can be handled in the
> PersonalData field regardless of what is done in the subject field.
> 
> This gives the conclusion that what we decide in the subject field (as
> mandatory or not), should only be based on technical requirements from
> X.500 directory systems and similar, not from requirements on legal name
> forming.
> 
> Based on this presumption I would appreciate a consensus in this subject.
> 
> /Stefan

Jürgen

> -------------------------------------------------------------------
> Stefan Santesson                <stefan@accurata.se>
> Accurata Systemsäkerhet AB
> Lotsgatan 27 D                  Tel. +46-40 152211
> 216 42  Malmö                   Fax. +46-40 150790
> Sweden                        Mobile +46-70 5247799
> 
> PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
> -------------------------------------------------------------------

--

References:
- RE: Qualified Certificates draft - Country name
  - From: Stefan Santesson

Prev by Date: OCSP Service Locator and RFC2459's Authority Information Access
Next by Date: RE: Qualified Certificates draft - Country name
Previous by thread: RE: Qualified Certificates draft - Country name
Next by thread: RE: Qualified Certificates draft - Country name
Index(es):
- Date
- Thread