[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: QC comparisons are DEADLY serious!

To: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>, "'Stefan Santesson'" <stefan@xxxxxxxxxxx>, "'SEIS-List'" <list@xxxxxxxxxxxxxxxxx>
Subject: RE: QC comparisons are DEADLY serious!
From: Anders Rundgren <anders.rundgren@xxxxxxxxxx>
Date: Mon, 1 Nov 1999 11:23:38 +0100
Cc: "Magnus (RSA)" <magnus@xxxxxxxxxxxxxxx>

Stefan,
Comments in line

>What you describe is another issue. Comparing the subjects name against an
>access control database may be a desired function. 

Can't say that I fully understand the value of unique identities in digital certificates if they
cannot be used by computers.

<snip>

>It should also be clear that it is NOT a function of the QC profile to
>guarantee that two certificates for the same person will be considered to
>match the same entity in an access control database. This must be resolved
>by other means.

I noted that QC "bans" such use which was the whole reason for bringing this up.

May I suggest an extension to the QC draft that specifically addresses this issue?

Slight puke-warning!

As the dnQualifier seems to be reserved for a particular purpose and also have
an arbitrary syntax it seems that dnQualifier is not a good candidate for access-control.

Therefore I would like to see a new "subject item" named something like staticUniqueIdentity that if
defined in a certificate, indicates that the CA indeed has the capability to (long-term) keep track
of its subscribers.   Some preliminary rules to support this:

16 decimal digits.  No more, no less.   Like VISA.  Why? to allow verbal communication of
 "digital identity" with ease.  Compatible with current systems after slight "translations".  16 digits
is enough for a 100-billion terrestrial population (Yuck!)  for thousands of years.  Interoperability is IMO
more important than "style" which is the reason for this admittedly rigid specification.

The staticUniqueIdentity is guaranteed to be unique for a certain CA

If staticUniqueIdentity is defined, other attributes and names are only of informational
purposes (for human RP's) and should NOT be used to create a unique electronic identity.
This allows a CA to manufacture certificates of different "weight" without screwing up identity.

>But I promise I will bring this up in Washington to check others view.

Thanx!

/Anders

Follow-Ups:
- RE: QC comparisons are DEADLY serious!
  - From: Stephen Kent

Prev by Date: AC Pull with multiple profiles
Next by Date: NR, redux, again.
Previous by thread: Re: QC comparisons are DEADLY serious!
Next by thread: RE: QC comparisons are DEADLY serious!
Index(es):
- Date
- Thread