[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DN naming conventions and schema
On Thu, 4 Dec 1997, Bob Jueneman wrote:
-> >>>> "Patrick C. Richard" <firstname.lastname@example.org> 12/04 12:32 AM >>>
-> >Ed Gerck wrote:
-> >> As to the CAs doing name assignment, this is actually mandated by X.509.
-> >> The problem of connecting different CA's is solved in X.509 by forming a
-> >> PKI of CAs -- which is possible in principle because all CAs follow the
-> >> *same* naming convention.
-> >This does not necessarily apply to anyone using PKIX (recognizing that
-> >you *did* mention X.509 and not PKIX), and I am posting this as many
-> >blindly equate PKIX with X.509 (yes, I recognize the similarities). PKIX
-> >mandates the use of subject a "DN", but has absolutely no enforcement on
-> >the contents of that DN, and nothing in PKIX prevents DNs containing any
-> >information or any naming convention you want, X.500 or not.
-> Actually, this isn't correct, since in PKIX the DN is optional, and may be
-> an empty sequence. (Although in that case one or more subjectAltName
-> definitions must be provided, and the subjectAltName attribute must be
-> marked Critical.)
As a side comment, and still keeping with X.509, my phrase above may be
dubious (tks for a private posting on this), because two concepts can be
understood under "name assignment": doing it (by a Naming Authority) and
accepting/using it (by a CA). Of course, a CA may also act as a NA -- but
they are independent roles.
So, rephrasing it, X.509 mandates the CAs to have a final word on name
assignment, by accepting/using it and -- in order to accept it -- by
previously verifying it under certain global rules.
Therefore, the CAs are not usurping the role of the directory, neither
when they double as a NA nor when they have the final word on DNs. This is
not due to a flaw or impossibility in X.500, as implied by Xavier, and
actually allows (under X.509's assumptions) a global PKI to be built.
On the other hand, a local name assignment (as Patrick and Bob pointed out
for PKIX) could also be useful, which is further allowed for by X.509
itself, if other DN fields are used (eg, for the e-mail), if pseudonyms or
aliases are accepted by the CA's CPS, etc.
Dr.rer.nat. E. Gerck email@example.com