[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Showing Nationality in Cert

To: <stefan@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <vickersr@xxxxxxxxxxxx>
Subject: Re: Showing Nationality in Cert
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Wed, 21 Jul 1999 15:00:01 -0600
Cc: <nimeh@xxxxxxxxxxxxxxxxxxx>, <schaen@xxxxxxxxx>, <flanigab@xxxxxxxxxxxx>, <FriedriP@xxxxxxxxxxxx>, <nelson2l@xxxxxxxxxxxx>

As usual, the devil is in the details.

First, it would be helpful if (finally) someone would specify precisely what the 
semantics of "countryName" is supposed to be, either for a natural, living (presumably)
person or a corporation.  The following possibilities come to mind: Place of birth,
place of incorporation, location of headquarters, choice of tax and/or legal
jurisdictional issues, or (the original X.500 intent, presumably) name of
name registration authority. If there is one.

With respect to countryOfCitizenship, I assume that this value could be
null (for stateless persons, for any of a number of reasons), as well as
multivalued, since some people are citizens of more than one country.

Likewise, I assume that countryOfResidence can be multi-valued.  
Certainly I can own or rent, and occasionally occupy, properties
in multiple countries.  Whether I am therefore a "resident" of that
country  or merely a transient may depend on the vagaries of the various
tax codes, immigration laws, etc., in a number of countries -- it would 
not at all surprise me to learn that different jurisdictions might come to 
different conclusions as to the "facts" of such status -- who then decides?

In the US, at least, a person can be a resident of one state, yet be domiciled
yet another term with a tortuous definition, in another state.  This is typically,
but not exclusively, the case with people who are in the military -- they often
choose which state to call their official "residence" for tax purposes, yet
they don't have to own any property or even have a permanent address in that
state!

Now that I think about it, given name and surname may also have to be multi-valued,
as people may have multiple, even "official" names, due to differences in
alphabets and customs.  

When I was in college, I had a friend named George O'Clock. When I asked
him who he happened to have such an unusual name, he said that when his
grandfather immigrated from the old country, the immigration official at Ellis
Island asked him for his name.  He said something like "Ohklubsanski", but
that was too hard for the immigration official, who had just notices that it was
already past his quitting time.  So "O'Clock" is what he became.  (No, I don't know 
what first name he put down.  I just hope it wasn't "Five"!)

>>> Stefan Santesson <stefan@accurata.se> 07/20/99 02:14PM >>>
This depends what you want to do.

If you just want to add citizenship as additional information to the
subject DN then I agree with Russ and Bill that you use
SubjectDirectoryAttribute.

If you, however wish to store a complete identity record, describing an
identity of a person, the Qualified Certificate draft has created a name
field placed in subjectAltName extension under OtherNames.

This field is named the PersonalData field and has defined attributes for
CountryOfCitizenship.

The complete list of defined attributes for this field is:

   countryName;
   givenName;
   surname;
   pseudonym;
   dNQualifier;
   dateOfBirth;
   placeOfBirth;
   gender;
   postalAddress;
   countryOfCitizenship; and
   countryOfResidence.

You can use any subset of these attributes. But in order to use this field,
the present attributes from this list must form a unique identity (in order
to satisfy overall requirements for the SubjAltName extension).

You can find the latest preliminary QC draft at:

http://www.accurata.se/QC/documents/draft-ietf-pkix-qc-01prel_07.txt 

A new draft will be submitted officially within 2 weeks.

After this the draft will got to last call (according to plan).

/Stefan

At 10:40 AM 7/17/99 -0400, Vickers, Randal R wrote:
>I work with the US DoD PKI engineers at the Defense Information Systems
>Agency. Requirements from the Assistant Secretary of Defense for C3I state
>that we must show citizenship or nationality (symantics) in the cert. My
>question is what extension  does anyone reccommend placing it in. We have
>looked at subjectDirectoryattribute and one of the extensions below
>subjectAlternatename. We are not locked into any one thing as long as it is
>standards based.
>	Thanks
>	Randal Vickers

-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata AB                     http://www.accurata.se 
Slagthuset                      Tel. +46-40 108588              
211 20  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Prev by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Next by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Previous by thread: Re: Showing Nationality in Cert
Next by thread: RE: Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt))
Index(es):
- Date
- Thread