Pem-Dev folks:
Regarding the newly released version of "RFC 1114E", we've enountered
two situations which may stress the naming system.
Scenario one: An organizaton with external clients
[Disclaimer: All names are fictitious and used for illustration
purposes only.]
We believe there will be a number of situations in which an organization
will want to issue certificates to its clients in order to facilitate
communication with them. The clients will not be part of the same
company or agency, nor will they have their own certificates. What
should the distinguished name look like? Here's a possible example.
The IRS wishes to work with tax preparation companies to initiate
PEM-based filing of taxpayer returns. It decides to issue
certificates to the tax preparation companies.
In reading RFC 1114E and X.521, one possible way to arrange the
distinguished names is to use the Organization Role object
class. This might lead to something like:
O = "The Internal Revenue Service"
OU = "Tax Preparers"
CN = "H. & R. Block, Inc."
H. & R. Block would then submit tax returns to the IRS and sign
its submissions with the private key corresponding to this
certificate.
Now it might be argued that H. & R. Block ought to have its own
certificate, issued by some PCA. Eventually this may be true, but we
foresee numerous situations in which the service organization -- the
IRS in this case -- will prefer to issue its own credentials, *and*,
with equal force, the client may be not be in a position to institute
general certificate issuing capability within its own organization.
(To see an exmaple of the latter, suppose GM wants PEM-based
transactions with its suppliers, and let's suppose one of its
suppliers is Radio Shack, which is a division of Tandy. Tandy may not
be ready to become a CA, but the portion of Radio Shack that deals
with GM may obligated to work with PEM. Its simplest course is to
obtain the necessary software and certificate from GM, and defer
becoming a CA until sometime later.)
Question for the community: Is this use of X.521 object classes for this
purpose considered within the intended spec? If not, how should this
scenario be addressed?
Scenario two: Professional "residences"
Professor I. M. Smart, Oceanview Institute of Technology, Nowater,
Kansas wishes to have a certificate. His institution is not ready to
become a CA. He desires one that identifies him as an individual, but
he wishes to use his institutional address as part of his distinguished
name. How can this be done? Prof Smart desires a certificate of the
form"
CN = "Professor Irving Mortimer Smart"
O = "Oceanview Institute of Technology"
State or Province = "KS"
but this appears to violate the standard.
He will argue vigorously that something of the form:
CN = "Irving Mortimer Smart"
Street Address = "2299 Seaview Drive"
Locality Name = "Ocean Heights"
State or Province Name = "KS"
doesn't do the job. No one knows him by that information, nor is he
eager to list his home address.
Question for the community: How does the professor get a certificate
and what does the distinguished name look like?
Steve
+-------------------------------------+-------------------------------+
| Steve Crocker | Voice: 301-854-6889 |
| Trusted Information Systems | FAX: 301-854-5363 |
| 3060 Washington Road |-------------------------------|
| Glenwood, MD 21738 | Internet: crocker(_at_)tis(_dot_)com
|
+-------------------------------------+-------------------------------+