Re: I-D ACTION:draft-ietf-pkix-pi-08.txt

["David P. Kemp" <dpkemp@missi.ncsc.mil>]

It is certainly technically possible to put any attribute
into the subject name syntax.  An unfortunate side effect
of an infinitely-flexible syntax is that de-facto standards
such as those you cite can arise.

DNS (and by extension, email address) is a namespace rooted
in the TLDs (.com, .edu, ...).  PIs are another
namespace rooted either in some CA-specific environment
(policy=CA) or in an independent manner (by assigning agency)
that allows multiple CAs to issue certificates to one
identifiable user.  Subject Distinguished Names are
intended to be a third namespace, typically rooted by Country.

When you say "just stuff an email address in the middle of
a DN", that is equivalent to saying "just stuff a DN in
the middle of an email address:
"dpkemp@missi.(C=US,O=DoD,CN=Dave).ncsc.mil"  Fortunately,
RFC822 prohibits such foolishness in a way that cannot be
circumvented by fools.  Unfortunately, X.509 DN syntax does
not prohibit anything, and it is up to system architects
to establish rules that enable DNs to form a namespace
rather than a cloaca for miscellaneous unrelated data.
It is as easy for CAs to ignore those rules as it is
for Harry Homeowners to ignore electrical codes and wire
their basements without grounding and with hot and neutral
lines connected randomly.  The fact that something can be
done and is in fact done millions of times does not make
it a good idea.

SubjectAltName brings some syntax-enforced discipline
to certificate naming.  Feel free to ignore it, and even
to urge others to ignore it, but at least feel a twinge
of shame when you do so.



Anders Rundgren wrote:

>>It is my hope that PI will become an RFC in the near future, so
>>that certificates (from an un-named large PKI :-) that currently
>>handle PIs by munging them into Common Name (e.g.,
>>CN="Kemp.David.P.0514101404") will have a saner alternative.
> 
> 
> The de-facto standard, already engraved in *millions* of certs is
> putting 0514101404 in serialNumber. 
> 
> This is almost as de-facto standard as putting e-mail addresses in DNs
> which in turn is almost as de-facto standard as using URIs for naming
> globally unique objects.
> 
> C:\Internet-Drafts>del draft-ietf-pkix-pi-*.txt
> 
> :-)
> 
> Pardon my complaints, let there be an RFC!  But don't expect
> this scheme to become the trend.
> 
> There is a slight problem with the whole idea.  Either RPs require
> and act upon the PI-data or they don't care about it.  This in my
> opinion makes the extension redundant or is just another way
> to screw up validation.
> 
> If you on top of this add policy extensions I believe a real disaster
> is in the making.
> 
> Anders
>