IETF Logo Mail Archive

Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

"David P. Kemp" <dpkemp@missi.ncsc.mil> Wed, 21 July 2004 21:00 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA00442 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 17:00:00 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LJwW0b021773; Wed, 21 Jul 2004 12:58:32 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LJwWCL021772; Wed, 21 Jul 2004 12:58:32 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LJwVpb021764 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 12:58:31 -0700 (PDT) (envelope-from DPKemp@missi.ncsc.mil)
Message-ID: <200407211952.i6LJqXAJ022508@stingray.missi.ncsc.mil>
Date: Wed, 21 Jul 2004 15:57:54 -0400
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Denis Pinkas <Denis.Pinkas@bull.net>
CC: Russ Housley <housley@vigilsec.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com> <40FE9323.8090306@bull.net>
In-Reply-To: <40FE9323.8090306@bull.net>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Jul 2004 19:57:55.0437 (UTC) FILETIME=[037CD1D0:01C46F5D]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Denis,

Your two conditions below are logical but unnecessarily
restrictive.

Consider James' original (correct) example:

[1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
    serialNumber="DUNS 554433", c=US

and a modification (poorly-structured, but legal) that uses
only single-valued RDNs:

[2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
   serialNumber="DUNS 554433", c=US

and your example:

[3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US


I do not believe it is necessary to prohibit [2] in order to
prevent [3].  Instead, if the SAN identifierValue is absent:

1 - if there are one or more RDNs containing a serialNumber
     attribute (alone or accompanied by other attributes), then
     the value contained in the serialNumber of the deepest
     such RDN shall be used as the identifierValue.

2 - otherwise, the CA is in error.


X.501 (02/2001) section 9.3, which appears to be normative,
not informative, prohibits a given attribute type from
appearing more than once in the same RDN.  The origin of
Russ' comments regarding the possibility of multiple
serialNumber attributes in a single RDN is unclear.

Dave



Denis Pinkas wrote:

> 
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>     other attribute is present in that RDN), then *there shall
>     only be one such RDN and* the value contained in the
>     serialNumber attribute shall be used as the identifierValue;
> 
> 2 - if there is no serialNumber attribute alone in a RDN, then the
>     deepest RDN shall include a *single* serialNumber attribute
>     and the value contained in that serialNumber shall be used
>     as the identifierValue.
> 
> Denis

v2.23.0 | Report a Bug | By Email