pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unique DNs

1993-02-25 10:37:00
from [Robert W. Shirey] [Permanent Link] 
I HAVE PULLED OUT TWO PARAGRAPHS FOR YOU.  The CA DN in a certificate is
not subordinated to the PCA's DN.  So CA names need to be unique across the
PEM system.  Otherwise, you do not know how to validate the certificate
chain.

3.3.5  Issuer Name

   A certificate provides a representation of its issuer's identity, in
   the form of a Distinguished Name.  The issuer identification is used
   to select the appropriate issuer public component to employ in
   performing certificate validation.  (If an issuer (CA) is certified
   by multiple PCAs, then the issuer DN does not uniquely identify the
   public component used to sign the certificate.  In such circumstances
   it may be necessary to attempt certificate validation using multiple
   public components, from certificates held by the issuer under
   different PCAs.  If the 1992 version of a certificate is employed,
   the issuer may employ distinct issuer UIDs in the certificates it
   issues, to further facilitate selection of the right issuer public
   component.) The issuer is the certifying authority (IPRA, PCA or CA)
   who vouches for the binding between the subject identity and the
   public key contained in the certificate.

. . .

   3.4.2.2  Ensuring the Uniqueness of Distinguished Names

   A fundamental requirement of this certification scheme is that
   certificates are not issued to distinct entities under the same
   distinguished name.  This requirement is important to the success of
   distributed management for the certification hierarchy.  The IPRA
   will not certify two PCAs with the same distinguished name and no PCA
   may certify two CAs with the same DN.  However, since PCAs are
   expected to certify organizational CAs in widely disjoint portions of
   the directory namespace, and since X.500 directories are not
   ubiquitous, a facility is required for coordination among PCAs to
   ensure the uniqueness of CA DNs.  (This architecture allows multiple
   PCAs to certify residential CAs and thus multiple, distinct
   residential CAs with identical DNs may come into existence, at least
   until such time as civil authorities assume responsibilities for such
   certification.  Thus, on an interim basis, the architecture
   explicitly accommodates the potential for duplicate residential CA
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unique DNs, Marshall Rose
Next by Date:  Let's drop this thread (was Re: Unique DNs), Carl Ellison
Previous by Thread:  Re: Unique DNs, Steve Kent
Next by Thread:  Re: Unique DNs, Carl Ellison
Indexes:  [Date] [Thread] [Top] [All Lists]