Howdy GentlePemAndX.500Folks,
Thanks to Steve Kent for refocusing the DN discussion.
RSA Data Security, Inc. intends to become a PCA for some commercial
and residential users. I have been following the X.500 DN discussion
and have kept familiar with the NADF-175 and SD-5.
As we will most likely be certifying a number or entities that have no
prior experience with X.500, we will be in the unfortunate position of
counseling people on their choice of Distinguished Names for their
certificates.
Because of the recent sentiment on this mailing list that we should
align as much as possible to the SD-5, let's see if I have this all
correct and throw out a few questions at the same time.
An organization can have national standing if the organization is
created and named by the U.S. Congress.
1. What form of proof of RTU (Right-To-Use) for a name might we
expect to see from such an organization ?
An organization might also have national standing conferred upon it
by registering under ANSI. This sounds reasonable as we can ask for
a copy of the resulting ANSI documentation (indeed RSA Data Security,
Inc. has already performed this registration).
An organization may have regional standing conferred upon it 'by
registering with the "Secretary of State" (or similar entity) within
that region - this is termed a "doing business as" (DBA)
registration.' However, they may have DBA registration in several
(perhaps all 50) states. Each such registration probably is embodied
in some sort of business license and (at least in the state or states
or incorporation) some incorporation papers, so proof of RTU is likely
to be straightforward.
An organization may have local standing conferred upon it by a DBA
registration with a "County Clerk" (or similar entity) within that
place. However, they may have DBA registration in several
localities. Each such registration probably is embodied in some sort
of business license so proof of RTU is likely to be straightforward.
Now, all we have to do is help organizations decide on a DN for their
PEM certificates. Let's see if the SD-5 can help me out here.
2.3 Listing Algorithm
The final step is to define how entities are listed within the
context of the civil naming infrastructure. Once again, Note
that an entity may have several listings (DNs) in different parts
of the Directory.
YIKES ! Now I'm really stuck. It looks like an organization generally
has the same Attribute-Value Assertions in each of their distinct DNs
(depending on where they list), however, they appear on different
levels. As you all know, even moving an attribute from one level to
another affects the Distinguished Encoding of a name, hence, each
certificate corresponds to exactly one DN.
2. Should we create a certificate for each DN that the organization
has listed ? What if they haven't listed anywhere ? Should we make
up a DN based on their standing ? What about the regional orgs. that
have listed in multiple states or the local orgs. that have listed in
multiple locales. How should they choose a DN ?
OK, perhaps with enough people-time and careful counseling we can get
through the Org. certification without too much bloodshed. Now let's
move on to persons.
"Listing organizational persons is a local matter to be decided by
each organization." -Phew :-)
'Residential persons are identified by the place where they reside,
usually with a multi-valued RDN consisting of a commonName attribute
value, and some other distinguished attribute value. Although an
obvious choice is to use something like postalCode or streetAddress,
it shouldbe noted that this information may be considered private.
Hence, some other, distinguishing attribute value may be used -
possibly even a "serial number" attribute value (assigned b an ADDMD)
which has no other purpose other than to give uniqueness.'
We would really love to acommodate those hordes of users that have
already listed. But what about those few that haven't.
3. Do we force individuals to list before they can get a certificate
? If we don't require listing, what DN should an individual use with
their certificate ?
Let's take a peek at Canada and see if any of the issues get any easier.
In general, organizations achieve standing by registering an
alphanumeric name value in accordance with the procedures in CSA
Z243.110.1.
"No existing registry of localities has been identified to date."
4. Is this the "existing" civil infrastructure that Canadian
organizations have been utilizing to register names ? If not, should
we require such registration before we certify them ? What form of
proof of RTU might we expect from Canadian organizations ?
"...an entity may have a single name or two names (one in each of the
Canadian official languages). As such, the naming scheme allows
dual-named entities to use either or both name when constructing
listings."
5. Should a single DN have multiple attribute-value assuertions for
the same attribute corresponding to "each of the Canadian official
languages" ?
In summary, the SD-5 provides some guidelines for listing entities in
the DIT based on existing registration infrastructure. Now for the
hard part, how does this help an entity choose a DN for their
certificate ?
Cheers,
Steve Dusse
p.s. The questions are not as facetious as they sound. We are really
struggling with these issues. Positive input is appreciated.