Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Denis Pinkas <Denis.Pinkas@bull.net> Wed, 21 July 2004 15:26 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA26733 for <pkix-archive@lists.ietf.org>; Wed, 21 Jul 2004 11:26:25 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LEAGnO086116; Wed, 21 Jul 2004 07:10:16 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LEAGPk086115; Wed, 21 Jul 2004 07:10:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LEAE7L086108 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 07:10:15 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA13970; Wed, 21 Jul 2004 16:20:26 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id PAA17530; Wed, 21 Jul 2004 15:55:23 +0200
Message-ID: <40FE7593.9050902@bull.net>
Date: Wed, 21 Jul 2004 15:54:27 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
James,
> That is wrong.
>
> A DN names an object by describing a path to it through a hierarchy of
> other objects. Each RDN consists of attributes of one of those *other*
> objects. Only the last RDN has attributes of the actual named object.
> A serialNumber attribute (like any other attribute) can appear multiple
> times -- once for each level of the hierarchy (ie once for each RDN).
>
> RDN = *Relative* Distinguished Name.
>
> [Note. No attribute type can appear multiple times within a single RDN.]
>
> In my sample DN:
> cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS
> 554433", c=US
> there are 3 objects: a country, a company and a person. The person only
> has one serialNumber. The company is an object in its own right so it
> can have its own serialNumber.
OK.
> So please reconsider my suggestion (1) that when identifierValue is
> absent the deepest serialNumber value is used.
I understand what you mean, but the proposed formulation is wrong.
Suppose a certificate with:
cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
then there would be thousands of certificates with the same PI and refering
to differents persons. :-(
> [Theoretically, the PI draft could require the serialNumber be in the
> deepest RDN. This would ensure the serialNumber is an attribute of the
> named object, not of some parent object. However, I would not recommend that.
> It is not unusual for DNs (particularly in certificates) to only
> use 1 attribute per RDN, even if some of the attributes all relate to
> the same logical object.]
This remark is correct, but we need a way to prevent the case mentionned above.
There would be two cases to consider:
1 - if there is one serialNumber attribute alone in a RDN (i.e. no
other attribute is present in that RDN), then the value contained
in that serialNumber shall be used as the identifierValue;
2 - if there is no serialNumber attribute alone in a RDN, then the
deepest RDN shall include a serialNumber attribute and the
value contained in that serialNumber shall be used as the
identifierValue.
Is this formulation correct ?
Denis
> ----------
> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
> Sent: Wednesday, 21 July 2004 12:01 AM
>
> Section 5.2.9 from X520 defines the serial Number attribute as follows:
>
> "The serial Number attribute type specifies an identifier, the serial
> number
> of an objet."
>
> The serial Number attribute applies to the object, not to a RDN
> component.
> Thus, unless it is an error, there can't be multiple serial Number
> attributes in a DN.
>
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: draft-ietf-pkix-pi-10.txt - single serialNumb… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Anders Rundgren
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Alberti Antoine
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Fisher, James L.
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… David P. Kemp
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Russ Housley
- Re: SCVP-15 Michael Myers
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Denis Pinkas
- Re: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Richard Levitte - VMS Whacker
- RE: PI: 10: draft-ietf-pkix-pi-10.txt - single se… Manger, James H
- Re: pkix-pi-10.txt - Usage Models Anders Rundgren