Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
"Anders Rundgren" <anders.rundgren@telia.com> Wed, 21 July 2004 16:27 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA01445 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 12:27:07 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LFQQLK094339; Wed, 21 Jul 2004 08:26:26 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LFQQjT094338; Wed, 21 Jul 2004 08:26:26 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av3-2-sn4.m-sp.skanova.net (av3-2-sn4.m-sp.skanova.net [81.228.10.113]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LFQP9k094317 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 08:26:26 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av3-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id 9ECA037ED6; Wed, 21 Jul 2004 17:26:14 +0200 (CEST)
Received: from smtp2-2-sn4.m-sp.skanova.net (smtp2-2-sn4.m-sp.skanova.net [81.228.10.182]) by av3-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id 8DA7037E46; Wed, 21 Jul 2004 17:26:14 +0200 (CEST)
Received: from arport (t11o913p10.telia.com [213.64.28.10]) by smtp2-2-sn4.m-sp.skanova.net (Postfix) with SMTP id 8714337E49; Wed, 21 Jul 2004 17:26:11 +0200 (CEST)
Message-ID: <00a001c46f36$a5abe6c0$0500a8c0@arport>
From: Anders Rundgren <anders.rundgren@telia.com>
To: ietf-pkix@imc.org
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, Denis Pinkas <Denis.Pinkas@bull.net>
References: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au>
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Wed, 21 Jul 2004 17:23:14 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
Denis, James is probably right regarding multiple serialNumbers. But why didn't you rather showed him that you actually can handle multiple PI's by using the subjectAltName-only variant for the company ID? However, that James put a DUNS 554433 "sort-of-PI" in the subject DN, again illustrates the obvious: It is non-intuitive to put names in other places than in DNs. This includes assigners as well. That X.520 does not support assigners is hardly an argument as the X.500 people apparently didn't understood the importance of permanent identifier concepts, so we are now actually "patching" X.500. Patches usually "look" ugly but they may "work" completely OK anyway. We may ignore this fact, but it will most likely just show up again in homebrewed constructs like the one James (accidentally?) created. To further complicate things: That the "subject" is John Doe is only valid from a strict X.500 point of view. If this certificate is actually associated with a signed purchase order that a relying party (supplier) has just received, they hardly regard John Doe (who they may never ever have heard of) as the "important" thing but rather "Acme Ltd" and "DUNS 554433". Well, I actually lied here because they will not bother with the certificate DN at all as this name scheme is entirely different to the name schemes used in business messages. Only X.500 experts can on case-per-case basis, manually and only occasionally do this name matching. That PIs insist on using OIDs for authorities, thereby avoiding intelligible expressions like "DUNS" or http://www.dnb.com/duns, will postpone this for security reasons highly wanted name matching for yet another decade. e-Business folks generally have no idea what an OID is, and before PIs they had no reason to know it either. ============================================ A properly designed PI OTOH, could be the bridge between identities in certificates and business messages that X.500 as it stands today never achieved, and never will either! ============================================ But if the only goal is to get PI out now, I guess we might as well support things like James' "sort-of-PI" scheme by keeping focus on the "deepest" serialNumber. That was deep :-) Anders ----- Original Message ----- From: "Manger, James H" <James.H.Manger@team.telstra.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>; <ietf-pkix@imc.org> Sent: Wednesday, July 21, 2004 03:15 Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute That is wrong. A DN names an object by describing a path to it through a hierarchy of other objects. Each RDN consists of attributes of one of those *other* objects. Only the last RDN has attributes of the actual named object. A serialNumber attribute (like any other attribute) can appear multiple times -- once for each level of the hierarchy (ie once for each RDN). RDN = *Relative* Distinguished Name. [Note. No attribute type can appear multiple times within a single RDN.] In my sample DN: cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS 554433", c=US there are 3 objects: a country, a company and a person. The person only has one serialNumber. The company is an object in its own right so it can have its own serialNumber. So please reconsider my suggestion (1) that when identifierValue is absent the deepest serialNumber value is used. [Theoretically, the PI draft could require the serialNumber be in the deepest RDN. This would ensure the serialNumber is an attribute of the named object, not of some parent object. However, I would not recommend that. It is not unusual for DNs (particularly in certificates) to only use 1 attribute per RDN, even if some of the attributes all relate to the same logical object.] ---------- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Wednesday, 21 July 2004 12:01 AM Section 5.2.9 from X520 defines the serial Number attribute as follows: "The serial Number attribute type specifies an identifier, the serial number of an objet." The serial Number attribute applies to the object, not to a RDN component. Thus, unless it is an error, there can't be multiple serial Number attributes in a DN.
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: draft-ietf-pkix-pi-10.txt - single serialNumb… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Alberti Antoine
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Fisher, James L.
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: SCVP-15 Michael Myers
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Richard Levitte - VMS Whacker
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: pkix-pi-10.txt - Usage Models Anders Rundgren