IETF Logo Mail Archive

Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

Denis Pinkas <Denis.Pinkas@bull.net> Mon, 26 July 2004 10:25 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA12825 for <pkix-archive@lists.ietf.org>; Mon, 26 Jul 2004 06:25:30 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q9TIK6093885; Mon, 26 Jul 2004 02:29:18 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6Q9TIgB093884; Mon, 26 Jul 2004 02:29:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q9TDPR093813 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 02:29:15 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA37174; Mon, 26 Jul 2004 11:39:27 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id LAA29388; Mon, 26 Jul 2004 11:28:59 +0200
Message-ID: <4104CE92.9020903@bull.net>
Date: Mon, 26 Jul 2004 11:27:46 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B50@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

James,

> Thanks David.
> 
>>cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
> 
> Denis's "problem" DN does not need to be solved.  The DN does NOT contain a PI for the subject so the CA will not include a PI extension saying it does.  End of story.
> 
> Russ's "problem" DN does not need to be solved.  As David notes, an attribute type is not allowed to appear more than once in an RDN.
> 
> I still suggest using my original text changes.

Your original text was: "when identifierValue is absent the
deepest serialNumber value is used". I would guess that you mean:
"when identifierValue is absent, the value contained in the
serialNumber of the deepest RDN SHALL be used."

I would propose instead to re-use my text, modified by David,
with an additional modification for the item 2. This leads to:

1 - if there are one or more RDNs containing a serialNumber
     attribute (alone or accompanied by other attributes), then
     the value contained in the serialNumber of the deepest
     such RDN SHALL be used as the identifierValue.

2 - otherwise, the Permanent Identifier definition is invalid
     and the Permanent Identifier SHALL not be used.

Denis



> -----Original Message-----
> From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
> Sent: Thursday, 22 July 2004 5:58 AM
> To: Denis Pinkas
> Cc: Russ Housley; Manger, James H; ietf-pkix@imc.org
> Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
> attribute
> 
> 
> Denis,
> 
> Your two conditions below are logical but unnecessarily
> restrictive.
> 
> Consider James' original (correct) example:
> 
> [1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
>     serialNumber="DUNS 554433", c=US
> 
> and a modification (poorly-structured, but legal) that uses
> only single-valued RDNs:
> 
> [2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
>    serialNumber="DUNS 554433", c=US
> 
> and your example:
> 
> [3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US
> 
> 
> I do not believe it is necessary to prohibit [2] in order to
> prevent [3].  Instead, if the SAN identifierValue is absent:
> 
> 1 - if there are one or more RDNs containing a serialNumber
>      attribute (alone or accompanied by other attributes), then
>      the value contained in the serialNumber of the deepest
>      such RDN shall be used as the identifierValue.
> 
> 2 - otherwise, the CA is in error.
> 
> 
> X.501 (02/2001) section 9.3, which appears to be normative,
> not informative, prohibits a given attribute type from
> appearing more than once in the same RDN.  The origin of
> Russ' comments regarding the possibility of multiple
> serialNumber attributes in a single RDN is unclear.
> 
> Dave
> 
> 
> 
> Denis Pinkas wrote:
> 
> 
>>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>>    other attribute is present in that RDN), then *there shall
>>    only be one such RDN and* the value contained in the
>>    serialNumber attribute shall be used as the identifierValue;
>>
>>2 - if there is no serialNumber attribute alone in a RDN, then the
>>    deepest RDN shall include a *single* serialNumber attribute
>>    and the value contained in that serialNumber shall be used
>>    as the identifierValue.
>>
>>Denis
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email