RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
"Alberti Antoine" <aalberti@axway.com> Wed, 21 July 2004 17:16 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA04653 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 13:16:00 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGKhoo099437; Wed, 21 Jul 2004 09:20:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGKhbA099436; Wed, 21 Jul 2004 09:20:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from outbound1.sopragroup.com (outbound1.z-ptx-11.fr.sopragroup.com [81.80.239.198]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGKfCb099364 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:20:42 -0700 (PDT) (envelope-from aalberti@axway.com)
Received: by outbound1.sopragroup.com (8.12.10/8.12.10/outbound-A02) with ESMTP id i6LGK6Kp006886; Wed, 21 Jul 2004 18:20:07 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6556.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Wed, 21 Jul 2004 18:20:06 +0200
Message-ID: <C1D2450FEBBA8C49BAA732EFB008A9ED0D805D@WEXCHBE01-VS.ptx.fr.sopra>
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRvPMxYAgDEz69MTIOwiUH7/WDo3gAANlPg
From: Alberti Antoine <aalberti@axway.com>
To: Denis Pinkas <Denis.Pinkas@bull.net>, Russ Housley <housley@vigilsec.com>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
X-OriginalArrivalTime: 21 Jul 2004 16:27:16.0062 (UTC) FILETIME=[95D53FE0:01C46F3F]
X-Scanned-By: MIMEDefang 2.38
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6LGKhCb099431
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
I wonder if it is realistic to set constraints on DNs in the PKI standards: one may not be able to use a DN that existed before the certificate creation or renewal if the DN does not match the new rules. In this case, what does the DN mean if it has to change from time to time, that is to say if it does not identify the owner of the cert (I know it is already the case, but it is not necessarily a reason to make this even more true) ? Regards. Antoine Alberti. > -----Message d'origine----- > De : owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org]De la part de Denis Pinkas > Envoyé : mercredi 21 juillet 2004 18:01 > À : Russ Housley > Cc : Manger, James H; ietf-pkix@imc.org > Objet : Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber > attribute > > > > Russ, > > I would think that you wrote this e-mail before getting mine > on the same > topic. When reading your e-mail, I would believe that the two > cases would > need to be changed from: > > 1 - if there is one serialNumber attribute alone in a RDN (i.e. no > other attribute is present in that RDN), then the value contained > in that serialNumber shall be used as the identifierValue; > > 2 - if there is no serialNumber attribute alone in a RDN, then the > deepest RDN shall include a serialNumber attribute and the > value contained in that serialNumber shall be used as the > identifierValue. > > to: > > 1 - if there is one serialNumber attribute alone in a RDN (i.e. no > other attribute is present in that RDN), then *there shall > only be one such RDN and* the value contained in the > serialNumber attribute shall be used as the identifierValue; > > 2 - if there is no serialNumber attribute alone in a RDN, then the > deepest RDN shall include a *single* serialNumber attribute > and the value contained in that serialNumber shall be used > as the identifierValue. > > Denis > > > > James: > > > > The authors put the serial number restriction into the document in > > response to a comment from me. In the example that you > provide, there > > is not a problem. However, one can construct a > distinguished name that > > is ambiguous. The X.500 series of documents give us a very complex > > structure for Name: > > > > Name ::= CHOICE { > > RDNSequence } > > > > RDNSequence ::= SEQUENCE OF RelativeDistinguishedName > > > > RelativeDistinguishedName ::= > > SET OF AttributeTypeAndValue > > > > AttributeTypeAndValue ::= SEQUENCE { > > type AttributeType, > > value AttributeValue } > > > > AttributeType ::= OBJECT IDENTIFIER > > > > AttributeValue ::= ANY DEFINED BY AttributeType > > > > Since RelativeDistinguishedName is a SET, it is possible to > have more > > than one attribute at the same level. If this level were > to include > > more than one SerialNumber attribute, then it would not be > clear which > > one to use as the permanent identifier. Since it is a SET, > one cannot > > rely on order to help resolve this issue. They would be > equally "deep" > > in the RDNSequence. > > > > I admit that no one in their right mind would design a > schema like this, > > but sadly, the structure permits an uninformed person to make some > > really bad choices. Further, guidance in this area was > removed from the > > X.500 series of documents. The informative information > that was once > > present was removed because some implementors treated it as > normative. > > > > Russ > > > > > > At 01:07 AM 7/19/2004, Manger, James H wrote: > > > >> 1. > >> The ability to flag a serialNumber attribute value in the > subject name > >> as a permanent identifier is a nice feature. Requiring that there > >> only be a single serialNumber attribute, however, is unnecessarily > >> restrictive. It seems quite sensible to use serialNumber > attributes > >> to hold company numbers, org unit ids and/or personal > identifiers. > >> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" > >> serialNumber="DUNS 554433", c=US. The PI extension would > refer to 12345. > >> > >> [Section 2] Change the ASN.1 comment for the > identifierValue field of > >> PermanentIdentifier to: > >> " -- if absent, use the deepest serialNumber attribute > value in the > >> subject DN" > >> > >> [Section 2] Change the paragraph that begins "When the > identifierValue > >> field is absent" to: > >> "When the identifierValue field is absent, then the deepest > >> serialNumber attribute value from the subject DN is the > value to be > >> taken for the identifierValue. An attribute is "deeper" > if it occurs > >> later in the sequence of RDNs that make up the DN. A "deeper" > >> attribute occurs earlier in the string representation of a DN > >> [RFC2253], which start encoding the last element of the > RDN sequence > >> that makes up a DN and moves backwards towards the first. The > >> PermanentIdentifier SHALL NOT be used if there is no serialNumber > >> attribute in the subject DN. > >> > >> > >> > >> 2. > >> Why can't the assigner field be present but the > identifierValue field > >> be absent (refer to the serialNumber attribute)? An absent > >> identifierValue is simply "shorthand" to avoid duplicating > a value -- > >> it doesn't really have any sematic value so shouldn't have > any impact > >> on the assigner field (or vice versa). > >> > >> > >> > >> 3. > >> The security considerations section mentions an > identifierType field > >> that no longer exists. > >> > >> > >> > ---------- > >> > From: Internet-Drafts@ietf.org > >> [mailto:Internet-Drafts@ietf.org] > >> > Sent: Wednesday, 14 July 2004 6:05 AM > >> > > >> > Title : Internet X.509 Public Key Infrastructure > >> Permanent Identifier > >> > Author(s) : D. Pinkas, T. Gindin > >> > Filename : draft-ietf-pkix-pi-10.txt > >> > Date : 2004-7-13 > >> > > >> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt > >> > > >> > ---------- > >> > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > >> > Sent: Thursday, 15 July 2004 6:06 PM > >> > Cc: ietf-pkix@imc.org > >> > > >> ... the definition of the PI has been > changed to allow > >> to use the serialNumber attribute from the subject DN. > > > > > > > > >
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: draft-ietf-pkix-pi-10.txt - single serialNumb… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Alberti Antoine
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Fisher, James L.
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: SCVP-15 Michael Myers
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Richard Levitte - VMS Whacker
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: pkix-pi-10.txt - Usage Models Anders Rundgren