Re: QC UID support must depart from RFC2459
"David P. Kemp" <dpkemp@missi.ncsc.mil> Wed, 10 November 1999 14:08 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA22004 for <pkix-archive@odin.ietf.org>; Wed, 10 Nov 1999 09:08:25 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA05353; Wed, 10 Nov 1999 06:06:55 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 10 Nov 1999 06:06:51 -0800
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA05321 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 06:06:48 -0800 (PST)
Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id JAA04052 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 09:07:57 -0500 (EST)
Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id JAA04048 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 09:07:57 -0500 (EST)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.58.9]) by missi.ncsc.mil (8.8.8/8.8.8) with ESMTP id JAA17625 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 09:07:16 -0500 (EST)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.58.9]) by ara.missi.ncsc.mil (8.9.1b+Sun/8.9.1) with SMTP id JAA13133 for <ietf-pkix@imc.org>; Wed, 10 Nov 1999 09:03:22 -0500 (EST)
Message-Id: <199911101403.JAA13133@ara.missi.ncsc.mil>
Date: Wed, 10 Nov 1999 09:03:22 -0500
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Subject: Re: QC UID support must depart from RFC2459
To: ietf-pkix@imc.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset="us-ascii"
Content-MD5: 6xR/2+AUBBMMLcR1heSRIQ==
X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Steve,
There seems to be more heat here than what would be generated by actual
differences in requirements. It may be useful to restate the
requirements in an effort to obtain a useful agreed-to profile.
The QC profile lists the attributes that MAY be used in the subject
field of a certificate - the QC list differs from the RFC 2459 list:
QC atttribute RFC245 MUST/SHOULD
----------- -----------------
countryName M
commonName M
surname S
givenName S
dnQualifier M
orgName M
orgUnitName M
title S
localityName S
The QC profile lists two attributes not included in RFC2459:
pseudonym -
postalAddress -
RFC2459 includes four attributes not listed in QC:
stateOrProvinceName M
domainComponent M
initials S
generationQualifier S
No X.520 attributes appear to have the semantics of "employee number",
"student number", "payroll number", etc that Anders is requesting.
X.520:
"The Unique Identifier attribute type specifies an identifier
which may be used to distinguish between object references when
a distinguished name has been reused."
"The DN Qualifier attribute type specifies disambiguating information
to add to the relative distinguished name of an entry."
"The Serial Number attribute type specifies an identifier, the
serial number of a device."
The DN Qualifier is suitable for use as you describe in the
second paragraph, as part of a multi-value terminal RDN. But what
attribute should be used for the function you describe in the first
paragraph: a permanent unique identifier that is suitable for use
as a single-value RDN?
TRW has described their corporate naming scheme to the Federal PKI
technical working group - it looks something like:
C=US, O=TRW.COM, OU=Employees, UID=123456, CN=Fred Smith
where UID is (I believe) 0.9.2342.19200300.100.1.1 defined in
draft-smith-ldap-inetorgperson-03.txt. This naming scheme allows
the UID employee number to be used in comparisons (for example in
access control lists) while the CN can change during an employee's
tenure without affecting the comparisons.
This scheme is IMHO eminently sensible (and much more sensible than the
DoD's current plan to concatenate a common name and a UID in the CN
attribute!). How will son-of-2459 or the next QC draft profile the TRW
naming scheme?
Dave Kemp
> Date: Mon, 8 Nov 1999 11:13:37 -0500
> To: "Anders Rundgren" <anders.rundgren@jaybis.com>
> From: Stephen Kent <kent@po1.bbn.com>
>
> Anders,
>
> If QCs deviate from 2459 (in its future, revised version), then there will
> be no QC profile as an IETF standard. I assume this is obvious, but just
> wanted to inject a little reality check here.
>
... and ...
>
> Yes, many organizations do qualify individuals by employee, student,
> payroll, or other numeric IDs. The preferred way to make use of this
> qualification is as one element of a two element set for the terminal RDN.
> After all, this qualifying number is needed to uniquely identify two
> individuals who would otherwise have the same DN, so it belongs in the DN.
>
> Steve
>
- QC UID support must depart from RFC2459 Anders Rundgren
- Re: QC UID support must depart from RFC2459 Stephen Kent
- Re: QC UID support must depart from RFC2459 Anders Rundgren
- Re: QC UID support must depart from RFC2459 David P. Kemp
- Re: QC UID support must depart from RFC2459 Stefan Santesson
- Re: QC UID support must depart from RFC2459 Stephen Kent
- DOD Plans [was: Re: QC UID support must depart fr… schaen
- Re: QC UID support must depart from RFC2459 Bill Brice (listserv)
- ANSI X9.79 - CA Control Objectives. Khaja E. Ahmed