Use of dnQualifier must be settled
Stefan Santesson <stefan@accurata.se> Tue, 16 November 1999 15:03 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA12580 for <pkix-archive@odin.ietf.org>; Tue, 16 Nov 1999 10:03:44 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA27139; Tue, 16 Nov 1999 06:59:58 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 16 Nov 1999 06:59:12 -0800
Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA27103 for <ietf-pkix@imc.org>; Tue, 16 Nov 1999 06:59:04 -0800 (PST)
Received: from stefan2 (accurata.inbox.se [193.12.72.24]) by popmail.inbox.se (8.9.3/8.9.3) with SMTP id QAA14666; Tue, 16 Nov 1999 16:00:15 +0100
Message-Id: <4.1.19991116150759.00d2d6b0@mail.accurata.se>
X-Sender: mb517@mail.accurata.se
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Tue, 16 Nov 1999 16:00:47 +0100
To: ietf-pkix@imc.org
From: Stefan Santesson <stefan@accurata.se>
Subject: Use of dnQualifier must be settled
Cc: Sean Turner <turners@ieca.com>, "Manger, James" <JManger@vtrlmel1.telstra.com.au>, "Kesterson, Hoyt" <Hoyt.Kesterson@bull.com>, "David P. Kemp" <dpkemp@missi.ncsc.mil>, Anders Rundgren <anders.rundgren@jaybis.com>, "Ella P. Gardner" <egardner@mitre.org>, 'housley' <housley@spyrus.com>, 'wford' <wford@verisign.com>, 'wpolk' <wpolk@nist.gov>, "'david.solo@citicorp.com'" <david.solo@citicorp.com>, "\"'Magnus Nyström'\"" <magnus@rsasecurity.com>
In-Reply-To: <382B2FD2.2567404E@ieca.com>
References: <199911110248.NAA25501@mail.cdn.telstra.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA27104
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 8bit
We must come to a common understanding on what the defined usage of
dnQualifier is according to X.520.
X.520 defines:
--------------
5.2.8 DN Qualifier
The DN Qualifier attribute type specifies disambiguating information to add
to the relative distinguished name of an entry. It is intended to be used
for entries held in multiple DSAs which would otherwise have the same name,
and that its value be the same in a given DSA for all entries to which this
information has been added.
[DSA = Directory System Agent, basically a directory server]
-------------------
Lets apply this to two DSA which in this case is represented by a group of
entries each.
DSA 1 group: DSA 2 group:
1) CN="Alice" 1) CN="Alice"
2) CN="Bob" 2) CN="Bob"
3) CN="Bob" 3) CN="Fred"
INTERPRETATION 1:
-----------------
One interpretation (Manger) is that this means that dnQualifier is defined
to disambiguate names between independent domains (DSA). In this case group
1 above is invalid because names within in a group must be unique also
without dnQualifier. but if we delete 3) from group 1 we can then use
dnQualifier to disambiguate Alice and Bob btween group 1 and 2. dnQualifier
is used to give all entries a common disambiguating value for each group.
Ex.
DSA 1 group: DSA 2 group:
1) CN="Alice", DNQ="Grp 1" 1) CN="Alice", DNQ="Grp 2"
2) CN="Bob", DNQ="Grp 1" 2) CN="Bob", DNQ="Grp 2"
3) CN="Fred"
Note that DNQ is not added to "Fred" since that is not needed.
INTERPRETATION 2
-----------------
Interpretation 2 is the current interpretation behind the current rfc2459
and also the interpretation in the QC profile. This interpretation says
that dnQualifier can be used to disambiguate any name from any other name,
regardless of whether these names are located within the same group or not.
In this case the example groups may look like this:
DSA 1 group: DSA 2 group:
1) CN="Alice", DNQ="1" 1) CN="Alice", DNQ="2"
2) CN="Bob", DNQ="1" 2) CN="Bob", DNQ="3"
2) CN="Bob", DNQ="2" 3) CN="Fred", DNQ="1"
It could also be used to store unique values like this:
DSA 1 group: DSA 2 group:
1) CN="Alice", DNQ="01" 1) CN="Alice", DNQ="11"
2) CN="Bob", DNQ="02" 2) CN="Bob", DNQ="12"
2) CN="Bob", DNQ="03" 3) CN="Fred", DNQ="13"
Now we need to settle once and for all.....
Is interpretation 1 or 2 the right one.
Please be active on this one because it is VERY important that we agree on
a consensus here very soon.
/Stefan
-------------------------------------------------------------------
Stefan Santesson <stefan@accurata.se>
Accurata AB http://www.accurata.se
Slagthuset Tel. +46-40 108588
211 20 Malmö Fax. +46-40 150790
Sweden Mobile +46-70 5247799
PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------
- dnQualifier is used incorrectly Manger, James
- Re: dnQualifier is used incorrectly Sean Turner
- Use of dnQualifier must be settled Stefan Santesson
- Re: Use of dnQualifier must be settled David Boyce
- Re: Use of dnQualifier must be settled Ella Paton Bassett
- Re: Use of dnQualifier must be settled Russ Housley