[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnQualifier topic - not solved yet.

To: ietf-pkix@xxxxxxx
Subject: Re: dnQualifier topic - not solved yet.
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Tue, 30 Nov 1999 13:41:36 +0100
In-reply-to: <199911292138.QAA18659@ara.missi.ncsc.mil>

Magnus and I have had discussions on this topic.

Going through what have been said lately, together with some of-list
comments, convince us that we actually have a rough consensus that
everybody can live with.

And that is to use the serialNumber attribute.

The good thing about selecting serialNumber is that it is widely
implemented anyway, it works and it has a short OID.

But our choice of this attribute should also be a clear signal to the X.500
folks that we want to have X.520 and X.521 updated and fixed so this
attribute is clearly related, not only to devices, but to any type of object.

So if nobody strongly object to this I will go ahead and include this in
the QC profile and I assume that rfc 2459 will be updated accordingly

The proposal was previously presented as:
> I suggest that we:
> 
> - Add serialNumber to son of rfc2459 supportedAttributes as a MUST
> implement attribute (i.e. compliant applications MUST be able to understand
> it).
> 
> - Keep dnQualifier in son of rfc2459, with a note stating it's intended
> purpose, the fact that new certificates should not break this intended
> usage, and also saying that clients should expect that some existing
> certificates may use this attribute to hold any type of value.
> 
> - specify use of serialNumber but NOT dnQualifier in the Qualified
> Certificates profile.
> 
> It would help to get your immediate support for this. Can you live with it??
> 
> /Stefan

With respect to inclusion in rfc2459, David Kemp wrote:
>Yes.  If dnQualifier remains in son of rfc2459 a requirement level will
>have to be specified.  I believe dnQualifier should be omitted entirely
>from the PKIX profile or be included at the MAY level with the usage note.
>But if there is a constituency for keeping it at the SHOULD or 
>MUST level (in addition to serialNumber), I could live with that.

I can live with both ways, so lets leave that up to the rfc2459 editors to
resolve.

/Stefan

-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata AB                     http://www.accurata.se
Slagthuset                      Tel. +46-40 108588              
211 20  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Follow-Ups:
- Re: dnQualifier topic - not solved yet.
  - From: Charles Moore
- Re: dnQualifier topic - not solved yet.
  - From: John Saylor

Prev by Date: RE: non-repudiation, was Re: proposed key usage text
Next by Date: Re: dnQualifier topic - not solved yet.
Previous by thread: RE: dnQualifier topic - not solved yet.
Next by thread: Re: dnQualifier topic - not solved yet.
Index(es):
- Date
- Thread