IETF Logo Mail Archive

Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

Denis Pinkas <Denis.Pinkas@bull.net> Wed, 21 July 2004 16:56 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA03316 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 12:56:38 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LG1huY097791; Wed, 21 Jul 2004 09:01:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LG1hqK097790; Wed, 21 Jul 2004 09:01:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LG1gor097779 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:01:42 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA32066; Wed, 21 Jul 2004 18:11:57 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id SAA02689; Wed, 21 Jul 2004 18:01:31 +0200
Message-ID: <40FE9323.8090306@bull.net>
Date: Wed, 21 Jul 2004 18:00:35 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
CC: "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Russ,

I would think that you wrote this e-mail before getting mine on the same 
topic. When reading your e-mail, I would believe that the two cases would 
need to be changed from:

1 - if there is one serialNumber attribute alone in a RDN (i.e. no
     other attribute is present in that RDN), then the value contained
     in that serialNumber shall be used as the identifierValue;

2 - if there is no serialNumber attribute alone in a RDN, then the
     deepest RDN shall include a serialNumber attribute and the
     value contained in that serialNumber shall be used as the
     identifierValue.

to:

1 - if there is one serialNumber attribute alone in a RDN (i.e. no
     other attribute is present in that RDN), then *there shall
     only be one such RDN and* the value contained in the
     serialNumber attribute shall be used as the identifierValue;

2 - if there is no serialNumber attribute alone in a RDN, then the
     deepest RDN shall include a *single* serialNumber attribute
     and the value contained in that serialNumber shall be used
     as the identifierValue.

Denis


> James:
> 
> The authors put the serial number restriction into the document in 
> response to a comment from me.  In the example that you provide, there 
> is not a problem.  However, one can construct a distinguished name that 
> is ambiguous.  The X.500 series of documents give us a very complex 
> structure for Name:
> 
>    Name ::= CHOICE {
>      RDNSequence }
> 
>    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
> 
>    RelativeDistinguishedName ::=
>      SET OF AttributeTypeAndValue
> 
>    AttributeTypeAndValue ::= SEQUENCE {
>      type     AttributeType,
>      value    AttributeValue }
> 
>    AttributeType ::= OBJECT IDENTIFIER
> 
>    AttributeValue ::= ANY DEFINED BY AttributeType
> 
> Since RelativeDistinguishedName is a SET, it is possible to have more 
> than one attribute at the same level.  If this level were to include 
> more than one SerialNumber attribute, then it would not be clear which 
> one to use as the permanent identifier.  Since it is a SET, one cannot 
> rely on order to help resolve this issue.  They would be equally "deep" 
> in the RDNSequence.
> 
> I admit that no one in their right mind would design a schema like this, 
> but sadly, the structure permits an uninformed person to make some 
> really bad choices.  Further, guidance in this area was removed from the 
> X.500 series of documents.  The informative information that was once 
> present was removed because some implementors treated it as normative.
> 
> Russ
> 
> 
> At 01:07 AM 7/19/2004, Manger, James H wrote:
> 
>> 1.
>> The ability to flag a serialNumber attribute value in the subject name 
>> as a permanent identifier is a nice feature.  Requiring that there 
>> only be a single serialNumber attribute, however, is unnecessarily 
>> restrictive.  It seems quite sensible to use serialNumber attributes 
>> to hold company numbers, org unit ids and/or personal identifiers.  
>> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" 
>> serialNumber="DUNS 554433", c=US.  The PI extension would refer to 12345.
>>
>> [Section 2] Change the ASN.1 comment for the identifierValue field of 
>> PermanentIdentifier to:
>> " -- if absent, use the deepest serialNumber attribute value in the 
>> subject DN"
>>
>> [Section 2] Change the paragraph that begins "When the identifierValue 
>> field is absent" to:
>> "When the identifierValue field is absent, then the deepest 
>> serialNumber attribute value from the subject DN is the value to be 
>> taken for the identifierValue.  An attribute is "deeper" if it occurs 
>> later in the sequence of RDNs that make up the DN.  A "deeper" 
>> attribute occurs earlier in the string representation of a DN 
>> [RFC2253], which start encoding the last element of the RDN sequence 
>> that makes up a DN and moves backwards towards the first.  The 
>> PermanentIdentifier SHALL NOT be used if there is no serialNumber 
>> attribute in the subject DN.
>>
>>
>>
>> 2.
>> Why can't the assigner field be present but the identifierValue field 
>> be absent (refer to the serialNumber attribute)?  An absent 
>> identifierValue is simply "shorthand" to avoid duplicating a value -- 
>> it doesn't really have any sematic value so shouldn't have any impact 
>> on the assigner field (or vice versa).
>>
>>
>>
>> 3.
>> The security considerations section mentions an identifierType field 
>> that no longer exists.
>>
>>
>> > ----------
>> > From:         Internet-Drafts@ietf.org 
>> [mailto:Internet-Drafts@ietf.org]
>> > Sent: Wednesday, 14 July 2004 6:05 AM
>> >
>> >       Title           : Internet X.509 Public Key Infrastructure 
>> Permanent Identifier
>> >       Author(s)       : D. Pinkas, T. Gindin
>> >       Filename        : draft-ietf-pkix-pi-10.txt
>> >       Date            : 2004-7-13
>> >
>> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>> >
>> >       ----------
>> >       From:   Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>> >       Sent:   Thursday, 15 July 2004 6:06 PM
>> >       Cc:     ietf-pkix@imc.org
>> >
>>                 ... the definition of the PI has been changed to allow 
>> to use the serialNumber attribute from the subject DN.
> 
> 
>

v2.23.0 | Report a Bug | By Email