IETF Logo Mail Archive

RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 22 July 2004 02:56 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA26500 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 22:56:06 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6M1nemp054359; Wed, 21 Jul 2004 18:49:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6M1neck054358; Wed, 21 Jul 2004 18:49:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailao.vtcif.telstra.com.au (mailao.vtcif.telstra.com.au [202.12.144.17]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6M1ncJJ054349 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 18:49:39 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailbi.vtcif.telstra.com.au (mailbi.vtcif.telstra.com.au [202.12.142.19]) by mailao.vtcif.telstra.com.au (Postfix) with ESMTP id C554D23C11 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id 4626A1DA83 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id LAA01508 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Thu, 22 Jul 2004 10:40:00 +1000
Message-ID: <73388857A695D31197EF00508B08F29806EE1B50@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRvXffs1xwifDvaQHivIbbSzMcgggAI4a2g
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: ietf-pkix@imc.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6M1ndJJ054353
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit

Thanks David.

> cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US

Denis's "problem" DN does not need to be solved.  The DN does NOT contain a PI for the subject so the CA will not include a PI extension saying it does.  End of story.


Russ's "problem" DN does not need to be solved.  As David notes, an attribute type is not allowed to appear more than once in an RDN.


I still suggest using my original text changes.



-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Thursday, 22 July 2004 5:58 AM
To: Denis Pinkas
Cc: Russ Housley; Manger, James H; ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
attribute


Denis,

Your two conditions below are logical but unnecessarily
restrictive.

Consider James' original (correct) example:

[1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
    serialNumber="DUNS 554433", c=US

and a modification (poorly-structured, but legal) that uses
only single-valued RDNs:

[2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
   serialNumber="DUNS 554433", c=US

and your example:

[3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US


I do not believe it is necessary to prohibit [2] in order to
prevent [3].  Instead, if the SAN identifierValue is absent:

1 - if there are one or more RDNs containing a serialNumber
     attribute (alone or accompanied by other attributes), then
     the value contained in the serialNumber of the deepest
     such RDN shall be used as the identifierValue.

2 - otherwise, the CA is in error.


X.501 (02/2001) section 9.3, which appears to be normative,
not informative, prohibits a given attribute type from
appearing more than once in the same RDN.  The origin of
Russ' comments regarding the possibility of multiple
serialNumber attributes in a single RDN is unclear.

Dave



Denis Pinkas wrote:

> 
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>     other attribute is present in that RDN), then *there shall
>     only be one such RDN and* the value contained in the
>     serialNumber attribute shall be used as the identifierValue;
> 
> 2 - if there is no serialNumber attribute alone in a RDN, then the
>     deepest RDN shall include a *single* serialNumber attribute
>     and the value contained in that serialNumber shall be used
>     as the identifierValue.
> 
> Denis

v2.23.0 | Report a Bug | By Email