RE: QC comparisons are DEADLY serious!

[Stephen Kent <kent@xxxxxxxxxxx>]

Anders,

>As the dnQualifier seems to be reserved for a particular purpose and also have
>an arbitrary syntax it seems that dnQualifier is not a good candidate for
>access-control.
>
>Therefore I would like to see a new "subject item" named something like
>staticUniqueIdentity that if
>defined in a certificate, indicates that the CA indeed has the capability
>to (long-term) keep track
>of its subscribers.   Some preliminary rules to support this:
>
>16 decimal digits.  No more, no less.   Like VISA.  Why? to allow verbal
>communication of
> "digital identity" with ease.  Compatible with current systems after
>slight "translations".  16 digits
>is enough for a 100-billion terrestrial population (Yuck!)  for thousands
>of years.  Interoperability is IMO
>more important than "style" which is the reason for this admittedly rigid
>specification.
>
>The staticUniqueIdentity is guaranteed to be unique for a certain CA
>
>If staticUniqueIdentity is defined, other attributes and names are only of
>informational
>purposes (for human RP's) and should NOT be used to create a unique
>electronic identity.
>This allows a CA to manufacture certificates of different "weight" without
>screwing up identity.

In version 2 X.509 certs there was a field added for unique subject and
issuer IDs.  It was a bad idea, designed to address what appear to be some
of the issues you alluded to above; nobody uses it.  I don't think we
should include a similar facility in a QC.  You'll note that 2459
explicitly disparages use of the v2 UIDs.

Steve