[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NULL Distinguished Names

>> I'll give you more time to respond to my proposal -- but the problems I see
>> are with the distinguished names themselves:  the concept of having a unique
>> identifier of some human being as a prerequisite to generating a 
>I had a moderately lengthy discussion with Warwick Ford in the hall outside
>  his office today about this issue.  With the X.509 V3 certificate,
>  the PKIX group very well *could* recommend a profile of X.509 that
>  uses NUL values in the DistinguishedName fields, and uses the
>  alternateName types in the standard extensions.  Those extensions
>  include provision for many of the favourite "handles" of the
>  IETF community--DNS names, rfc822 addresses, etc.
>To be fair to X.509, and to the PKIX group, DistinguishedNames are not
>  a necessary prerequisite to generating a certificate.

I agree, and was about to say the same thing myself. In fact, one of the things 
I'd like to see in the PKIX document is a clearer exposition of exactly what 
purpose the DN is supposed to serve in a certificate.

To my way of thinking, the DN serves three functions, none of which are 
fundamental or absolutely necessary for all posssible applications although 
they may be very useful or even a requirement for other applications:

1. It provides a guaranteed-unique way of referring to the certificate itself, 
when it is stored in a database of directory. In other words it is a direct 
lookup search index. It may or may not be useful for browsing, depending on the 
structure (schema) of the DN.

2. In the case of a directory such as X.500, it provides a strong access 
control mechanism over who can modify the other entries associated with the 
entity named by the DN. 

3. It can provide useful information about the entity that it names, as 
required. If either of the other two purposes are present, encoding the 
"useful" information in the DN may reduce the amount of redundancy.

The way that X.509 is defined right now, the DN is not an optional field but 
the schema is not defined. So it can contain anything that anyone would want it 
to contain. If either of the first two purposes I listed are required, the DN 
ought to be unique, but some form of a null value would be acceptable 

In general, I would take the position that the form of the DN should be 
specified by the database or directory administrator, NOT by the CA. However, 
at the rate things are moving in the X.500 and other directory communities, the 
CAs may get there first.


Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254

"The opinions expressed are my own, and may not 
reflect the official position of GTE, if any, on this subject."