[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnQualifier topic - not solved yet.

To: <ietf-pkix@xxxxxxx>, "Stefan Santesson" <stefan@xxxxxxxxxxx>
Subject: Re: dnQualifier topic - not solved yet.
From: "Charles Moore" <cmoore@xxxxxxxxxxxxx>
Date: Wed, 1 Dec 1999 05:45:23 +1000
References: <>

----- Original Message -----
From: Stefan Santesson <stefan@accurata.se>
To: <ietf-pkix@imc.org>
Sent: Tuesday, November 30, 1999 10:41 PM
Subject: Re: dnQualifier topic - not solved yet.

Magnus and I have had discussions on this topic.

Going through what have been said lately, together with some of-list
comments, convince us that we actually have a rough consensus that
everybody can live with.

And that is to use the serialNumber attribute.

The good thing about selecting serialNumber is that it is widely
implemented anyway, it works and it has a short OID.

But our choice of this attribute should also be a clear signal to the X.500
folks that we want to have X.520 and X.521 updated and fixed so this
attribute is clearly related, not only to devices, but to any type of
object.

So if nobody strongly object to this I will go ahead and include this in
the QC profile and I assume that rfc 2459 will be updated accordingly

cm> I object for the reasons previously outlined.. You are using it with the
wrong sematics and it will be impossible to distinguish from previous usage
that has the correct semantics...
Please address these issues...

The proposal was previously presented as:
> I suggest that we:
>
> - Add serialNumber to son of rfc2459 supportedAttributes as a MUST
> implement attribute (i.e. compliant applications MUST be able to
understand
> it).
cm> See above this is not possible given existing usage...
Also please address the usage and privacy issue....
>
> - Keep dnQualifier in son of rfc2459, with a note stating it's intended
> purpose, the fact that new certificates should not break this intended
> usage, and also saying that clients should expect that some existing
> certificates may use this attribute to hold any type of value.
>
> - specify use of serialNumber but NOT dnQualifier in the Qualified
> Certificates profile.
cm> See above...

>
> It would help to get your immediate support for this. Can you live with
it??

cm> No...
>
> /Stefan

With respect to inclusion in rfc2459, David Kemp wrote:
>Yes.  If dnQualifier remains in son of rfc2459 a requirement level will
>have to be specified.  I believe dnQualifier should be omitted entirely
>from the PKIX profile or be included at the MAY level with the usage note.
>But if there is a constituency for keeping it at the SHOULD or
>MUST level (in addition to serialNumber), I could live with that.

cm> No...

I can live with both ways, so lets leave that up to the rfc2459 editors to
resolve.

/Stefan

-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata AB                     http://www.accurata.se
Slagthuset                      Tel. +46-40 108588
211 20  Malmö                   Fax. +46-40 150790
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

References:
- Re: dnQualifier topic - not solved yet.
  - From: Stefan Santesson

Prev by Date: Re: non-repudiation, was Re: proposed key usage text
Next by Date: RE: Unknown private verisign extension
Previous by thread: Re: dnQualifier topic - not solved yet.
Next by thread: Re: dnQualifier topic - not solved yet.
Index(es):
- Date
- Thread