dnQualifier is used incorrectly
"Manger, James" <JManger@vtrlmel1.telstra.com.au> Thu, 11 November 1999 02:51 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA25140 for <pkix-archive@odin.ietf.org>; Wed, 10 Nov 1999 21:51:18 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id SAA22627; Wed, 10 Nov 1999 18:49:59 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 10 Nov 1999 18:49:56 -0800
Received: from webo.vtcif.telstra.com.au (webo.vtcif.telstra.com.au [202.12.144.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA22597 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 18:49:54 -0800 (PST)
Received: (from uucp@localhost) by webo.vtcif.telstra.com.au (8.8.2/8.6.9) id NAA24349 for <ietf-pkix@imc.org>; Thu, 11 Nov 1999 13:50:13 +1100 (EST)
Received: from maili.vtcif.telstra.com.au(202.12.142.17) via SMTP by webo.vtcif.telstra.com.au, id smtpdOM.KU_; Thu Nov 11 13:49:43 1999
Received: (from uucp@localhost) by maili.vtcif.telstra.com.au (8.8.2/8.6.9) id NAA13152 for <ietf-pkix@imc.org>; Thu, 11 Nov 1999 13:49:42 +1100 (EST)
Received: from mail.cdn.telstra.com.au(144.135.138.138) via SMTP by maili.vtcif.telstra.com.au, id smtpdozIhY_; Thu Nov 11 13:48:04 1999
Received: from v300x-nm02.corpmail.telstra.com.au (v300x-nm02.corpmail.telstra.com.au [172.172.2.13]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id NAA25501 for <ietf-pkix@imc.org>; Thu, 11 Nov 1999 13:48:03 +1100 (EST)
Message-Id: <199911110248.NAA25501@mail.cdn.telstra.com.au>
Received: by v300x-nm02.corpmail.telstra.com.au with Internet Mail Service (5.5.2448.0) id <WVH223AT>; Thu, 11 Nov 1999 13:39:38 +1100
From: "Manger, James" <JManger@vtrlmel1.telstra.com.au>
To: ietf-pkix@imc.org
Subject: dnQualifier is used incorrectly
Date: Thu, 11 Nov 1999 11:24:10 +1100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BF2BED.FEC6EAE0"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
It is inappropriate to hold an employee/member/customer number as a
dnQualifier attribute value. When multiple directories each have an entry
for the same person (or entity) the DN Qualifier disambiguates the entries.
A DN Qualifier value indicates which directory a DN refers to, not which
person in a directory. In fact, the definition of DN Qualifier says the
same value should be used for all entries in a given directory. Mapping
from directories to CAs, it is clear that the DN Qualifier should
disambiguate certificates issued to the same person by different CAs. The
same DN Qualifier value should be used in all certificates issued by a given
CA. The DN Qualifier should identify the CA, not the subject.
Example:
A company, Frottleby Limited, is certified by two CAs.
The TrustMe CA certifies Frottleby Limited using a DN:
{ c "AU" / o "Frottleby Limited" dnQualifier "TrustMe Customer" }
The SuperID CA certifies Frottleby Limited using a DN:
{ c "AU" / o "Frottleby Limited" dnQualifier "SuperID" }
Stephen & Stefan's quotes below are completely at odds with the original, &
surely definitive, X.520 definition of the DN Qualifier attribute.
Stephen Kent says, in 'Re: QC UID support must depart from RFC2459',
"..I believe that the DN Qualifier makes more sense as a component
of a terminal RDN, at least from the standpoint of directory schema. I would
also suggest that this is the most appropriate attribute as a means of
expressing employee ID, payroll number, etc. After all, these numbers were
assigned in the pre-X.500 world to achieve the analogous effect, i.e., to
disambiguate among database entries that might otherwise be identical."
Stefan Santesson says,
"- Attributes for expressing a private identity (... dnQualifier)
... Here the use of dnQualifier will be constrained to hold a unique
identifier of the subject within the set of all certificates issued by a
CA."
From X.520 | ISO/IEC 9594-6: 1993:
5.2.8 DN Qualifier
The DN Qualifier attribute type specifies disambiguating information to add
to the relative distinguished name of an entry. It is intended to be used
for entries held in multiple DSAs which would otherwise have the same name,
and that its value be the same in a given DSA for all entries to which this
information has been added.
[DSA = Directory System Agent, basically a directory server]
- dnQualifier is used incorrectly Manger, James
- Re: dnQualifier is used incorrectly Sean Turner
- Use of dnQualifier must be settled Stefan Santesson
- Re: Use of dnQualifier must be settled David Boyce
- Re: Use of dnQualifier must be settled Ella Paton Bassett
- Re: Use of dnQualifier must be settled Russ Housley