Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Denis Pinkas <Denis.Pinkas@bull.net> Wed, 21 July 2004 17:38 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06798 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 13:38:13 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGflwC003618; Wed, 21 Jul 2004 09:41:47 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGfl79003617; Wed, 21 Jul 2004 09:41:47 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGfk9Q003607 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:41:46 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA08038; Wed, 21 Jul 2004 18:52:02 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id SAA09711; Wed, 21 Jul 2004 18:41:36 +0200
Message-ID: <40FE9C88.8030208@bull.net>
Date: Wed, 21 Jul 2004 18:40:40 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Alberti Antoine <aalberti@axway.com>
CC: Russ Housley <housley@vigilsec.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D805D@WEXCHBE01-VS.ptx.fr.sopra>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6LGfl9Q003612
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
> I wonder if it is realistic to set constraints on DNs in the PKI standards: > one may not be able to use a DN that existed before the certificate > creation or renewal if the DN does not match the new rules. In this case, > what does the DN mean if it has to change from time to time, that is to > say if it does not identify the owner of the cert (I know it is already > the case, but it is not necessarily a reason to make this even more > true) ? Using a serialNumber attribute is not mandatory to be able to use the PI feature. Some forms of DN will be able to support a serialNumber as the value of the identifierValue, while some others will not. In such a case, an explicit identifierValue can be used. The proposed text only excludes the case where a RDN sequence would contain two or more serialNumber attributes in isolation. This is none of the examples given. The constraint seems thus reasonable. Denis > Regards. > Antoine Alberti. > > >>-----Message d'origine----- >>De : owner-ietf-pkix@mail.imc.org >>[mailto:owner-ietf-pkix@mail.imc.org]De la part de Denis Pinkas >>Envoyé : mercredi 21 juillet 2004 18:01 >>À : Russ Housley >>Cc : Manger, James H; ietf-pkix@imc.org >>Objet : Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber >>attribute >> >> >> >>Russ, >> >>I would think that you wrote this e-mail before getting mine >>on the same >>topic. When reading your e-mail, I would believe that the two >>cases would >>need to be changed from: >> >>1 - if there is one serialNumber attribute alone in a RDN (i.e. no >> other attribute is present in that RDN), then the value contained >> in that serialNumber shall be used as the identifierValue; >> >>2 - if there is no serialNumber attribute alone in a RDN, then the >> deepest RDN shall include a serialNumber attribute and the >> value contained in that serialNumber shall be used as the >> identifierValue. >> >>to: >> >>1 - if there is one serialNumber attribute alone in a RDN (i.e. no >> other attribute is present in that RDN), then *there shall >> only be one such RDN and* the value contained in the >> serialNumber attribute shall be used as the identifierValue; >> >>2 - if there is no serialNumber attribute alone in a RDN, then the >> deepest RDN shall include a *single* serialNumber attribute >> and the value contained in that serialNumber shall be used >> as the identifierValue. >> >>Denis >> >> >> >>>James: >>> >>>The authors put the serial number restriction into the document in >>>response to a comment from me. In the example that you >> >>provide, there >> >>>is not a problem. However, one can construct a >> >>distinguished name that >> >>>is ambiguous. The X.500 series of documents give us a very complex >>>structure for Name: >>> >>> Name ::= CHOICE { >>> RDNSequence } >>> >>> RDNSequence ::= SEQUENCE OF RelativeDistinguishedName >>> >>> RelativeDistinguishedName ::= >>> SET OF AttributeTypeAndValue >>> >>> AttributeTypeAndValue ::= SEQUENCE { >>> type AttributeType, >>> value AttributeValue } >>> >>> AttributeType ::= OBJECT IDENTIFIER >>> >>> AttributeValue ::= ANY DEFINED BY AttributeType >>> >>>Since RelativeDistinguishedName is a SET, it is possible to >> >>have more >> >>>than one attribute at the same level. If this level were >> >>to include >> >>>more than one SerialNumber attribute, then it would not be >> >>clear which >> >>>one to use as the permanent identifier. Since it is a SET, >> >>one cannot >> >>>rely on order to help resolve this issue. They would be >> >>equally "deep" >> >>>in the RDNSequence. >>> >>>I admit that no one in their right mind would design a >> >>schema like this, >> >>>but sadly, the structure permits an uninformed person to make some >>>really bad choices. Further, guidance in this area was >> >>removed from the >> >>>X.500 series of documents. The informative information >> >>that was once >> >>>present was removed because some implementors treated it as >> >>normative. >> >>>Russ >>> >>> >>>At 01:07 AM 7/19/2004, Manger, James H wrote: >>> >>> >>>>1. >>>>The ability to flag a serialNumber attribute value in the >>> >>subject name >> >>>>as a permanent identifier is a nice feature. Requiring that there >>>>only be a single serialNumber attribute, however, is unnecessarily >>>>restrictive. It seems quite sensible to use serialNumber >>> >>attributes >> >>>>to hold company numbers, org unit ids and/or personal >>> >>identifiers. >> >>>>For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" >>>>serialNumber="DUNS 554433", c=US. The PI extension would >>> >>refer to 12345. >> >>>>[Section 2] Change the ASN.1 comment for the >>> >>identifierValue field of >> >>>>PermanentIdentifier to: >>>>" -- if absent, use the deepest serialNumber attribute >>> >>value in the >> >>>>subject DN" >>>> >>>>[Section 2] Change the paragraph that begins "When the >>> >>identifierValue >> >>>>field is absent" to: >>>>"When the identifierValue field is absent, then the deepest >>>>serialNumber attribute value from the subject DN is the >>> >>value to be >> >>>>taken for the identifierValue. An attribute is "deeper" >>> >>if it occurs >> >>>>later in the sequence of RDNs that make up the DN. A "deeper" >>>>attribute occurs earlier in the string representation of a DN >>>>[RFC2253], which start encoding the last element of the >>> >>RDN sequence >> >>>>that makes up a DN and moves backwards towards the first. The >>>>PermanentIdentifier SHALL NOT be used if there is no serialNumber >>>>attribute in the subject DN. >>>> >>>> >>>> >>>>2. >>>>Why can't the assigner field be present but the >>> >>identifierValue field >> >>>>be absent (refer to the serialNumber attribute)? An absent >>>>identifierValue is simply "shorthand" to avoid duplicating >>> >>a value -- >> >>>>it doesn't really have any sematic value so shouldn't have >>> >>any impact >> >>>>on the assigner field (or vice versa). >>>> >>>> >>>> >>>>3. >>>>The security considerations section mentions an >>> >>identifierType field >> >>>>that no longer exists. >>>> >>>> >>>> >>>>>---------- >>>>>From: Internet-Drafts@ietf.org >>>> >>>>[mailto:Internet-Drafts@ietf.org] >>>> >>>>>Sent: Wednesday, 14 July 2004 6:05 AM >>>>> >>>>> Title : Internet X.509 Public Key Infrastructure >>>> >>>>Permanent Identifier >>>> >>>>> Author(s) : D. Pinkas, T. Gindin >>>>> Filename : draft-ietf-pkix-pi-10.txt >>>>> Date : 2004-7-13 >>>>> >>>>>http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt >>>>> >>>>> ---------- >>>>> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] >>>>> Sent: Thursday, 15 July 2004 6:06 PM >>>>> Cc: ietf-pkix@imc.org >>>>> >>>> >>>> ... the definition of the PI has been >>> >>changed to allow >> >>>>to use the serialNumber attribute from the subject DN. >>> >>> >>> >> >> >
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: draft-ietf-pkix-pi-10.txt - single serialNumb… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Alberti Antoine
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Fisher, James L.
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: SCVP-15 Michael Myers
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Richard Levitte - VMS Whacker
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: pkix-pi-10.txt - Usage Models Anders Rundgren