[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multi-national company listing issues

To: ietf-pkix@xxxxxxx
Subject: Re: Multi-national company listing issues
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 27 Aug 1999 12:02:26 -0400 (EDT)
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>

> From: Paul Koning <pkoning@xedia.com>
> 
>  Bob> In other words, does country= qualify the organization or
>  Bob> person, or the location, or what?
> 
> There's one data point that might help.
> 
> If you want to obtain an NSAP address block (for ATM for example) one
> easy way is to get it under the DCC (Data Country Code) branch of the
> NSAP space.  Those are administered by national bodies in various
> countries; in the USA that is ANSI.
> 
> ANSI will assign a block under its DCC code to anyone who hands over
> the $1000.  The fact that your entry appears under the code that
> represents "USA" means simply that the assignment was made by the USA
> registrar.  It has NO other meaning.  In particular, it doesn't mean
> *any* of the things you suggested above.


The problem with the Subject field of a certificate is that we have
chosen to overload it with multiple purposes:

  1) a globally-unique, heirarchically registered identifier
  2) purely descriptive attributes (OU, L, SP, physical mail address, etc)
      intended for human consumption
  3) attributes that in addition to their uniqueness or descriptive
      properties are also interpreted by machine (email address for
      mail delivery, C as an indicator of nationality for purposes of
      restricting access, or even worse, a parenthetical (U) as part of
      a Common Name to indicate a security clearance level!)

As Bob Moskowitz said:

> So do what ever you want.  Either will work for your client, neither will
> work for a global lookup.

or in other words, we reap what we have sown.  Since clear guidelines
for populating and using the Subject field are not established, people
do whatever works for them.  Using "whatever works locally" is not the
optimum approach for achieving global interoperability.  "C" can be
the identifier of a registrar (ANSI in the case of C=US), or it can
be citizenship of a person, or it can be country of incorporation for
a person's employer, but it can't simultaneously be more than one of
these.

Last year there was a long discussion on using subject names in the form
of email addresses.  That works great as long as everyone understands
that "joe@foo.com" is the name of a subject, and not necessarily the
place where joe's email is sent from or ultimately delivered to.

Personally, I would prefer the Subject DN to be exclusively a sequence
of registrar identifiers followed by a unique subject identifier, with
all other information in Subject Altname and Subject Directory
Attributes.  But that isn't the way most certs are issued today.

Prev by Date: Re: Deprecate the NR bit?
Next by Date: RE: apologies and comments on SCVP
Previous by thread: Re: Multi-national company listing issues
Next by thread: Re: Multi-national company listing issues
Index(es):
- Date
- Thread