Re: people CN

Christian Huitema <Christian.Huitema@sophia.inria.fr> Fri, 27 November 1992 09:04 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa00620; 27 Nov 92 4:04 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa00616; 27 Nov 92 4:04 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa02199; 27 Nov 92 4:04 EST
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.01091-0@haig.cs.ucl.ac.uk>; Fri, 27 Nov 1992 08:37:17 +0000
Received: from mitsou.inria.fr by bells.cs.ucl.ac.uk with Internet SMTP id <g.21115-0@bells.cs.ucl.ac.uk>; Fri, 27 Nov 1992 08:36:59 +0000
Received: by mitsou.inria.fr (5.65c/IDA-1.2.8) id AA12254; Fri, 27 Nov 1992 09:38:00 +0100
Message-Id: <199211270838.AA12254@mitsou.inria.fr>
To: Thomas Lenggenhager <lenggenhager@gate.switch.ch>
Cc: osi-ds <osi-ds@cs.ucl.ac.uk>, wg-nap <wg-nap@rare.nl>
Subject: Re: people CN
In-Reply-To: Your message of "27 Nov 92 08:01:46 GMT." <8797*lenggenhager@gate.switch.ch>
Date: Fri, 27 Nov 92 09:37:58 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Christian Huitema <Christian.Huitema@sophia.inria.fr>

The "CN collision" problem is a direct result of the "user friendly naming"
requirement. A basic hypothesis of the white page service is that the directory
does not create "identifiers" -- see the discussion on short names vs long names.
As a consequence, one assume that "real life names" will be used, e.g. "cn=Andrew
Smith" in Andrew Findlay's example. The problem is indeed that life is nasty, and
that there is no such thing as a big brother watching you so and making sure that
the given name + surname combination are unique world wide, or even organization
wide. Indeed, your parents, when choosing your name, seldom have a clear idea of
what you will be doing 40 years later.

One could make several interesting deduction from this, e.g. the fact that real
life names are ill fitted for serving as data base identifiers. I already tried to
make this point, but have not quite succeeded in convincing the OSI-DS group. So,
lets assume you want to stay in the "user friendly naming" philosophy. There are
then two consequences:

1) Your name is your name and shall remain intact. Pseudo solution like
	"cn=Christian Huitema number 1234567"
are not acceptable.

2) Thus you shall use more attributes than just the common name to identify the
person within the organization. The problem is indeed "which one to choose", and
several solutions may appear workable, e.g. an internal unique number, a date of
birth, an organizational unit, or whatever.

I suggest that we look at the need of X.509, PEM and secure operations.
Distinguished names are used in "certificates", to produce a signature. Something
like:

	This letter is signed by "Jacques Martin" in organization "FooBar" in
	"France".

Now, suppose there are two "Jacques Martin", one being the director of the
organization with internal number 1234 and the other one being a repair technician
with internal number 5678. And look at the various possible signatures:

	This contract is signed by "Jacques Martin", internal number "5678" in
	organization "FooBar" in "France". 

	This contract is signed by "Jacques Martin", whose role is "repair
	technician" in organization "FooBar" in "France". 

	This contract is signed by "Jacques Martin", whose role is "director" 
	in organization "FooBar" in "France".

May I suggest that using a "Role" attribute would, in general, be "a good thing"?
Something like:

	cn=Jacques Martin + Role=Director, O=FooBar, C=FR

would look quite reasonable, I think.

Christian Huitema