Hello Steve -- Your questions are very good and on the mark.
I believe they have straight forward answers, which I will try to
provide here.
From Steve Dusse's message Fri, 26 Feb 93 11:44:14 PST:
}Because of the recent sentiment on this mailing list that we should
}align as much as possible to the SD-5, let's see if I have this all
}correct and throw out a few questions at the same time.
}
}An organization can have national standing if the organization is
}created and named by the U.S. Congress.
}
}1. What form of proof of RTU (Right-To-Use) for a name might we
}expect to see from such an organization ?
Some are obvious: (e.g., National Aeronautics and Space
Administration, Department of Energy, Tennessee Valley Authority,
etc). I expect that you should just ask the applicant "What is the
official name of your organization?" And, "Where is it chartered?"
Some applicants may need to go back to the office and ask a few
questions, but the answer is generally easy for them to find for you.
Or, you might just accept a less formal "proof", depending on what you
think you are certifying. Do you really want to see a copy of the
NASA chartering legislation?
In short, if you consider this pragmatically, the answer is easy.
}An organization might also have national standing conferred upon it
}by registering under ANSI. This sounds reasonable as we can ask for
}a copy of the resulting ANSI documentation (indeed RSA Data Security,
}Inc. has already performed this registration).
Yep! This has the added value of causing applicants to realize that
they are applying on behalf of their agencies;-).
}An organization may have regional standing conferred upon it 'by
}registering with the "Secretary of State" (or similar entity) within
}that region - this is termed a "doing business as" (DBA)
}registration.' However, they may have DBA registration in several
}(perhaps all 50) states. Each such registration probably is embodied
}in some sort of business license and (at least in the state or states
}or incorporation) some incorporation papers, so proof of RTU is likely
}to be straightforward.
Yep! This has the added value of causing applicants to realize that
they are applying on behalf of their companies;-).
}An organization may have local standing conferred upon it by a DBA
}registration with a "County Clerk" (or similar entity) within that
}place. However, they may have DBA registration in several
}localities. Each such registration probably is embodied in some sort
}of business license so proof of RTU is likely to be straightforward.
Yep!
}Now, all we have to do is help organizations decide on a DN for their
}PEM certificates. Let's see if the SD-5 can help me out here.
Yep!
} 2.3 Listing Algorithm
}
} The final step is to define how entities are listed within the
} context of the civil naming infrastructure. Once again, Note
} that an entity may have several listings (DNs) in different parts
} of the Directory.
}
}YIKES ! Now I'm really stuck. It looks like an organization generally
}has the same Attribute-Value Assertions in each of their distinct DNs
}(depending on where they list), however, they appear on different
}levels. As you all know, even moving an attribute from one level to
}another affects the Distinguished Encoding of a name, hence, each
}certificate corresponds to exactly one DN.
Yes, in reality, every identifiable entity actually owns a huge DN
name space. This AHA type realization typically comes with a loud:
"YIKES! What do I do NOW?"
Lets just explore this a little bit. Intellectual property law
asserts that only the duly elected officials of Network Management
Associates, Inc., which is a registered corporation in the State of
California, in the United States of America, may use that set of names
together in any associative combination. Thus I can safely form a DN
with my corporate name, my state of registration, and my country name,
in any X.500 schema combinations that are allowed. SD-5 shows several
of the combinations that are allowed.
Now, having the exclusive right to use all those combinations in
association with each other does not mean that I (or anyone) has
practical reasons to ever actually use them all;-). What is asserted
is that only Network Management Associates, Inc. has the right to make
the choices as to which combinations will actually be used.
Consider for a moment the anarchy that would reign if you could use
the combinations that I do not? The law reasonably assigns the
right-to-use to also include the right-to-not-use, with the corrolary
of the obligation-to-not-use to all others.
}2. Should we create a certificate for each DN that the organization
}has listed ? What if they haven't listed anywhere ? Should we make
}up a DN based on their standing ? What about the regional orgs. that
}have listed in multiple states or the local orgs. that have listed in
}multiple locales. How should they choose a DN ?
To get my PEM certificate, at $25/each, I assure you I am not going to
buy more than I need, so I need to pick one, or only a few. I should
endeavor to pick the one that best suits my business needs. I may not
be smart enough to know which one is really my best choice, but, for
your purposes, you just have to get me to tell what is my DN choice.
You then only need to check it for correctness in terms of syntax, and
authenticity to the extent that you care about authenticity.
It does not matter whether I have listed anywhere, or not. My
right-to-use is lodged in the facts of the separate hierarchical
registrations of c=us, st=ca, o=Network Management Associates, Inc.
No one else has the right to use those RDN values in association with
each other, whether I have listed them anywhere or not.
}OK, perhaps with enough people-time and careful counseling we can get
}through the Org. certification without too much bloodshed. Now let's
}move on to persons.
Actually, your problem is to get them to tell you what DN values they
choose to bind to certificate key values, and until they tell you, you
can just not register anything. Most rational people will not spend
much of their time (or yours) making this decision once they
understand that they have a choice (or two), but must choose one per
DN certificate. You do need to think about how to perform the
interrogation so that it can be done by people who have not been drug
through this discussion;-).
}"Listing organizational persons is a local matter to be decided by
}each organization." -Phew :-)
How else or who else would you have make these decisions? No one that
I can think of. Actually, people are pretty good about it, since it
comes naturally with living in the current world. The civil naming
system is carefully designed, over thousands of years, to be highly
decentralized in the interests of serving the needs for naming
everything we want to think about.
}'Residential persons are identified by the place where they reside,
}usually with a multi-valued RDN consisting of a commonName attribute
}value, and some other distinguished attribute value. Although an
}obvious choice is to use something like postalCode or streetAddress,
}it should be noted that this information may be considered private.
}Hence, some other, distinguishing attribute value may be used -
}possibly even a "serial number" attribute value (assigned by an ADDMD)
}which has no other purpose other than to give uniqueness.'
}
}We would really love to accommodate those hordes of users that have
}already listed. But what about those few that haven't.
I think you are slipping back into confusion between listing and
registration. In c=us, you register at your residential address when
you physically move into your residence. I do not need to go to the
US Postal Service and "register" with them at that address. You just
put your name on your assigned mailbox if there is more than one
apartment, or your house number on the curb, trusting that someone has
put up a Street Sign, and give out your name and address to various
people who will want to send mail, or come to visit. I understand
that in Canada, you actually have to register with Canada Post (but
this is a rumor as far as I know;-).
No one else is legally entitled to use your residential address
without your permission. With your permission, of course, it is OK.
}3. Do we force individuals to list before they can get a certificate
}? If we don't require listing, what DN should an individual use with
}their certificate ?
Absolutely not! This is that listing/registration confusion again.
}Let's take a peek at Canada and see if any of the issues get any easier.
}
}In general, organizations achieve standing by registering an
}alphanumeric name value in accordance with the procedures in CSA
}Z243.110.1.
I am not familiar with Z243.110.1, but it would appear to be a DBA kind
of registration.
}"No existing registry of localities has been identified to date."
Well, I expect it exists, and most people do know the names of the
localities where they live and work. It took us several years in c=us
to find and connect with FIPS-5 and FIPS-55. I believe these are now
being grafted under the joint-iso-ccitt/c=us arc as the "locality"
subtree. This suddenly establishes every FIPS-55 identified locality
as a naming authority jurisdiction directly connected under the
JOINT-ISO-CCITT branch of the OID tree,without any further actions by
anyone. FIPS-55 is a chartered Government activity with the mission
to establish locality identification standards.
}4. Is this the "existing" civil infrastructure that Canadian
}organizations have been utilizing to register names ? If not, should
}we require such registration before we certify them ? What form of
}proof of RTU might we expect from Canadian organizations ?
Well, for individuals, you use the residential person rules, and for
organizations you ask them for evidence of their Charter for doing
business. You will have to do a bit of research in Canada to find out
what these things are normally called in every day life.
}"...an entity may have a single name or two names (one in each of the
}Canadian official languages). As such, the naming scheme allows
}dual-named entities to use either or both name when constructing
}listings."
}
}5. Should a single DN have multiple attribute-value assertions for
}the same attribute corresponding to "each of the Canadian official
}languages" ?
Back to basics. What they are saying is that entities often have the
right-to-use two names, one in each of two languages. To get a PEM
certificate, they are going to have to choose one. Unless it is
permitted for the other to somehow be an ALIAS for the first.
It is not clear to me (and I not going to read the docs to find out)
whether PEM allows more than one DN to identify the same certificate.
I do know that in X.500, I should be able to use either language name
to retrieve information, whether it is lodged in the DIT as one entry
with an alias or as two separate entries, each holding the same PEM
certificate. The question I have is whether the PEM certificate can
bind both language names to the same key. I expect you know the
answer. If you cannot bind two language names to the same key in one
certificate, does this cause a problem? I have no idea.
}In summary, the SD-5 provides some guidelines for listing entities in
}the DIT based on existing registration infrastructure. Now for the
}hard part, how does this help an entity choose a DN for their
}certificate ?
}
}Cheers,
}Steve Dusse
}
}p.s. The questions are not as facetious as they sound. We are really
}struggling with these issues. Positive input is appreciated.
I agree that your questions are the result of a real struggle with
real issues. I am pleased to respond to direct questions about SD-5.
I hope that my answers are helpful;-)...\Stef