Re: Use of dnQualifier must be settled
Russ Housley <housley@spyrus.com> Tue, 16 November 1999 20:06 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA29388 for <pkix-archive@odin.ietf.org>; Tue, 16 Nov 1999 15:06:39 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA02106; Tue, 16 Nov 1999 12:03:00 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 16 Nov 1999 12:02:57 -0800
Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA02080 for <ietf-pkix@imc.org>; Tue, 16 Nov 1999 12:02:56 -0800 (PST)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id MAA24807; Tue, 16 Nov 1999 12:02:28 -0800 (PST)
Message-Id: <4.2.0.58.19991116145341.00a8a970@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Tue, 16 Nov 1999 14:57:43 -0500
To: Stefan Santesson <stefan@accurata.se>
From: Russ Housley <housley@spyrus.com>
Subject: Re: Use of dnQualifier must be settled
Cc: ietf-pkix@imc.org, Sean Turner <turners@ieca.com>, "Manger, James" <JManger@vtrlmel1.telstra.com.au>, "Kesterson, Hoyt" <Hoyt.Kesterson@bull.com>, "David P. Kemp" <dpkemp@missi.ncsc.mil>, Anders Rundgren <anders.rundgren@jaybis.com>, "Ella P. Gardner" <egardner@mitre.org>, 'wford' <wford@verisign.com>, 'wpolk' <wpolk@nist.gov>, "'david.solo@citicorp.com'" <david.solo@citicorp.com>, 'Magnus Nystr�m' <magnus@rsasecurity.com>
In-Reply-To: <4.1.19991116150759.00d2d6b0@mail.accurata.se>
References: <382B2FD2.2567404E@ieca.com> <199911110248.NAA25501@mail.cdn.telstra.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 8bit
Interpretation 1 cannot be correct. The DIT can be reallocated among DSAs, and this would result in name changes. For example: assume that c=XX, O=Acme was handled by one DSA, but the organization grew so that a second DSA was added. The new partition might be so that all of c=XX, o=Acme, ou=Sales was moved to the new DSA. I would hope that this adjustment would nt cause any names to change. Russ At 04:00 PM 11/16/99 +0100, Stefan Santesson wrote: >We must come to a common understanding on what the defined usage of >dnQualifier is according to X.520. > >X.520 defines: >-------------- >5.2.8 DN Qualifier >The DN Qualifier attribute type specifies disambiguating information to add >to the relative distinguished name of an entry. It is intended to be used >for entries held in multiple DSAs which would otherwise have the same name, >and that its value be the same in a given DSA for all entries to which this >information has been added. >[DSA = Directory System Agent, basically a directory server] >------------------- > >Lets apply this to two DSA which in this case is represented by a group of >entries each. > >DSA 1 group: DSA 2 group: >1) CN="Alice" 1) CN="Alice" >2) CN="Bob" 2) CN="Bob" >3) CN="Bob" 3) CN="Fred" > > >INTERPRETATION 1: >----------------- >One interpretation (Manger) is that this means that dnQualifier is defined >to disambiguate names between independent domains (DSA). In this case group >1 above is invalid because names within in a group must be unique also >without dnQualifier. but if we delete 3) from group 1 we can then use >dnQualifier to disambiguate Alice and Bob btween group 1 and 2. dnQualifier >is used to give all entries a common disambiguating value for each group. > >Ex. >DSA 1 group: DSA 2 group: >1) CN="Alice", DNQ="Grp 1" 1) CN="Alice", DNQ="Grp 2" >2) CN="Bob", DNQ="Grp 1" 2) CN="Bob", DNQ="Grp 2" > 3) CN="Fred" > >Note that DNQ is not added to "Fred" since that is not needed. > > >INTERPRETATION 2 >----------------- > >Interpretation 2 is the current interpretation behind the current rfc2459 >and also the interpretation in the QC profile. This interpretation says >that dnQualifier can be used to disambiguate any name from any other name, >regardless of whether these names are located within the same group or not. > >In this case the example groups may look like this: >DSA 1 group: DSA 2 group: >1) CN="Alice", DNQ="1" 1) CN="Alice", DNQ="2" >2) CN="Bob", DNQ="1" 2) CN="Bob", DNQ="3" >2) CN="Bob", DNQ="2" 3) CN="Fred", DNQ="1" > >It could also be used to store unique values like this: >DSA 1 group: DSA 2 group: >1) CN="Alice", DNQ="01" 1) CN="Alice", DNQ="11" >2) CN="Bob", DNQ="02" 2) CN="Bob", DNQ="12" >2) CN="Bob", DNQ="03" 3) CN="Fred", DNQ="13" > > > >Now we need to settle once and for all..... > >Is interpretation 1 or 2 the right one. > >Please be active on this one because it is VERY important that we agree on >a consensus here very soon. > > >/Stefan > > >------------------------------------------------------------------- >Stefan Santesson <stefan@accurata.se> >Accurata AB http://www.accurata.se >Slagthuset Tel. +46-40 108588 >211 20 Malmö Fax. +46-40 150790 >Sweden Mobile +46-70 5247799 > >PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 >-------------------------------------------------------------------
- dnQualifier is used incorrectly Manger, James
- Re: dnQualifier is used incorrectly Sean Turner
- Use of dnQualifier must be settled Stefan Santesson
- Re: Use of dnQualifier must be settled David Boyce
- Re: Use of dnQualifier must be settled Ella Paton Bassett
- Re: Use of dnQualifier must be settled Russ Housley