[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Qualified Certificates draft - Country name
I think that country name should be made mandatory. If country name
is made optional, how is the number of first-level entries in the global
directory tree going to be held down to navigable levels? I would have no
objection to defining the mandatory attribute superior to organization as a
choice between country name and international assignment authority, but to
allow any organization that wishes to assign itself as a first-level entry
in the tree to do so will produce a situation in which there is no entity
with a complete list of first-level entries. That would probably make it
permanently impossible for client systems to navigate the tree.
One problem with country name, however, is that it implicitly assumes
a "Westphalia model" of countries and makes no provision for such things as
the EU. Does anyone know of an alternative attribute that organizations
could be made subordinate to?
Tom Gindin (tgindin@us.ibm.com)
Note: These opinions are mine, and are not necessarily those of my
employer.
Stefan Santesson <stefan@accurata.se> on 02/27/99 10:51:59 AM
To: "Bob Jueneman" <BJUENEMAN@novell.com>, Tom Gindin/Watson/IBM
cc: samiklo@missi.ncsc.mil, ietf-pkix <ietf-pkix@imc.org>, Stephen Kent
<kent@bbn.com>
Subject: RE: Qualified Certificates draft - Country name
All,
I would like to clarify the scope of the draft.
It is NOT the intent of the draft to specify how a meaningful identity
should be composed.
Period.
It is though the intent of the draft to specify a well defined structure
within which any useful identity information could be expressed according
to the issuers and the key holders preferences.
The qualified certificate has two different compartments for subject
identity information.
1) The subject field
2) The PersonalData field (stored in subjextAltName extension as a new
information construct stored under otherNames.)
The main purpose of the subject field is to hold a "technical name"
fulfilling all technical requirements that might be imposed on the
certificate with respect to presence of a unique X.500 type of name. This
name may or may not be suitable as the subjects preferred legal name
(unmistakable identity).
The optional PersonalData field has the main purpose of providing means to
express a legal name in cases where the subject field is not sufficient for
this purpose. The advantage of this approach is to free the subject field
of strange attributes and semantics necessary for expressing the legal
name.
So, this debate is about whether the countryName attribute in the subject
field (the technical name)shall be mandatory or optional. Keep in mind that
any country information as part of the legal name can be handled in the
PersonalData field regardless of what is done in the subject field.
This gives the conclusion that what we decide in the subject field (as
mandatory or not), should only be based on technical requirements from
X.500 directory systems and similar, not from requirements on legal name
forming.
Based on this presumption I would appreciate a consensus in this subject.
/Stefan
-------------------------------------------------------------------
Stefan Santesson <stefan@accurata.se>
Accurata Systemsäkerhet AB
Lotsgatan 27 D Tel. +46-40 152211
216 42 Malmö Fax. +46-40 150790
Sweden Mobile +46-70 5247799
PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------