IETF Logo Mail Archive

Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

Russ Housley <housley@vigilsec.com> Wed, 21 July 2004 17:01 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA03690 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 13:01:57 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGDcpg098801; Wed, 21 Jul 2004 09:13:38 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGDcKG098800; Wed, 21 Jul 2004 09:13:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6LGDbcG098793 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:13:38 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 6222 invoked by uid 0); 21 Jul 2004 16:06:41 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.154.86) by woodstock.binhost.com with SMTP; 21 Jul 2004 16:06:41 -0000
Message-Id: <6.1.1.1.2.20040721121259.0391cca8@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 21 Jul 2004 12:14:07 -0400
To: Denis Pinkas <Denis.Pinkas@bull.net>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
In-Reply-To: <40FE9323.8090306@bull.net>
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com> <40FE9323.8090306@bull.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Denis:

Yes, I did write this before I saw your response.

Russ

At 12:00 PM 7/21/2004, Denis Pinkas wrote:
>Russ,
>
>I would think that you wrote this e-mail before getting mine on the same 
>topic. When reading your e-mail, I would believe that the two cases would 
>need to be changed from:
>
>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>     other attribute is present in that RDN), then the value contained
>     in that serialNumber shall be used as the identifierValue;
>
>2 - if there is no serialNumber attribute alone in a RDN, then the
>     deepest RDN shall include a serialNumber attribute and the
>     value contained in that serialNumber shall be used as the
>     identifierValue.
>
>to:
>
>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>     other attribute is present in that RDN), then *there shall
>     only be one such RDN and* the value contained in the
>     serialNumber attribute shall be used as the identifierValue;
>
>2 - if there is no serialNumber attribute alone in a RDN, then the
>     deepest RDN shall include a *single* serialNumber attribute
>     and the value contained in that serialNumber shall be used
>     as the identifierValue.
>
>Denis
>
>
>>James:
>>The authors put the serial number restriction into the document in 
>>response to a comment from me.  In the example that you provide, there is 
>>not a problem.  However, one can construct a distinguished name that is 
>>ambiguous.  The X.500 series of documents give us a very complex 
>>structure for Name:
>>    Name ::= CHOICE {
>>      RDNSequence }
>>    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
>>    RelativeDistinguishedName ::=
>>      SET OF AttributeTypeAndValue
>>    AttributeTypeAndValue ::= SEQUENCE {
>>      type     AttributeType,
>>      value    AttributeValue }
>>    AttributeType ::= OBJECT IDENTIFIER
>>    AttributeValue ::= ANY DEFINED BY AttributeType
>>Since RelativeDistinguishedName is a SET, it is possible to have more 
>>than one attribute at the same level.  If this level were to include more 
>>than one SerialNumber attribute, then it would not be clear which one to 
>>use as the permanent identifier.  Since it is a SET, one cannot rely on 
>>order to help resolve this issue.  They would be equally "deep" in the 
>>RDNSequence.
>>I admit that no one in their right mind would design a schema like this, 
>>but sadly, the structure permits an uninformed person to make some really 
>>bad choices.  Further, guidance in this area was removed from the X.500 
>>series of documents.  The informative information that was once present 
>>was removed because some implementors treated it as normative.
>>Russ
>>
>>At 01:07 AM 7/19/2004, Manger, James H wrote:
>>
>>>1.
>>>The ability to flag a serialNumber attribute value in the subject name 
>>>as a permanent identifier is a nice feature.  Requiring that there only 
>>>be a single serialNumber attribute, however, is unnecessarily 
>>>restrictive.  It seems quite sensible to use serialNumber attributes to 
>>>hold company numbers, org unit ids and/or personal identifiers.
>>>For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" 
>>>serialNumber="DUNS 554433", c=US.  The PI extension would refer to 12345.
>>>
>>>[Section 2] Change the ASN.1 comment for the identifierValue field of 
>>>PermanentIdentifier to:
>>>" -- if absent, use the deepest serialNumber attribute value in the 
>>>subject DN"
>>>
>>>[Section 2] Change the paragraph that begins "When the identifierValue 
>>>field is absent" to:
>>>"When the identifierValue field is absent, then the deepest serialNumber 
>>>attribute value from the subject DN is the value to be taken for the 
>>>identifierValue.  An attribute is "deeper" if it occurs later in the 
>>>sequence of RDNs that make up the DN.  A "deeper" attribute occurs 
>>>earlier in the string representation of a DN [RFC2253], which start 
>>>encoding the last element of the RDN sequence that makes up a DN and 
>>>moves backwards towards the first.  The PermanentIdentifier SHALL NOT be 
>>>used if there is no serialNumber attribute in the subject DN.
>>>
>>>
>>>
>>>2.
>>>Why can't the assigner field be present but the identifierValue field be 
>>>absent (refer to the serialNumber attribute)?  An absent identifierValue 
>>>is simply "shorthand" to avoid duplicating a value -- it doesn't really 
>>>have any sematic value so shouldn't have any impact on the assigner 
>>>field (or vice versa).
>>>
>>>
>>>
>>>3.
>>>The security considerations section mentions an identifierType field 
>>>that no longer exists.
>>>
>>>
>>> > ----------
>>> > From:         Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
>>> > Sent: Wednesday, 14 July 2004 6:05 AM
>>> >
>>> >       Title           : Internet X.509 Public Key Infrastructure 
>>> Permanent Identifier
>>> >       Author(s)       : D. Pinkas, T. Gindin
>>> >       Filename        : draft-ietf-pkix-pi-10.txt
>>> >       Date            : 2004-7-13
>>> >
>>> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>>> >
>>> >       ----------
>>> >       From:   Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>>> >       Sent:   Thursday, 15 July 2004 6:06 PM
>>> >       Cc:     ietf-pkix@imc.org
>>> >
>>>                 ... the definition of the PI has been changed to allow 
>>> to use the serialNumber attribute from the subject DN.
>>
>
>

v2.23.0 | Report a Bug | By Email