Richard,
Re our recent correspondence regarding the use of various ways to
encode an organizational role within a DN. I appreciate your clarification
of the different possibilities, but they seem rather cumbersome. I like
your first suggestion better - just use the Title field.
I'm certainly no expert on the laws of agency, but as I understand it,
if I sign something that I was not authorized to sign (by charter from
my organization), my company could attempt to deny the validity of the
transaction by saying that I was not authorized to commit the company,
and that the contract is therefore invalid. (Worse yet, either or both
companies might try to stick me personally with the responsibility,
when I merely exceeded my authority by accident, or through a
misunderstanding.)
The plaintiff in this case would then undoubtedly reply that they had
no way of knowing that I was not so authorized, and that the fact that
I did sign it, and that my distinguished name included the name of the
company would reasonably lead them to expect that I was so authorized.
Of course, if the purchase in question were for a Boeing 767 and the
purchase order was signed by a clerk in the Maintenance Department,
any reasonable corporation would have checked further, but otherwise
the matter might end up in litigation.
There might not be any practical difference, but the use of an explicit
organizational role might tend to give greater weight to the assumption
that someone was in fact authorized to perform some particular function
than just a title. More importantly, if I understand what you are saying, you
can either have a organizational role or you can be identified by your
individual name, but not both, since you can't have two common names.
Assuming this is correct, and following up on my previous message regarding
our proposed DISCLAIMER: CA, I would propose to use the following
style for managers, directors, and others regardless of whether they
have the authorization to commit the company in a legal or contractual
sense:
C=US, O=GTE Labs,
OU= Employee # 22934,
T=Mgr., Secure Systems Dept.,
CN=Robert R. Jueneman
In this case, our internal practice will require the use of a smart card
for the signature function, and we will also require the use of keys that
are close to the maximum length (1024 bits, as I recall?).
Note in this case that the OU=DISCLAIMER: AUTHORIZED
COUNTERSIGNATURE REQUIRED is not used, so as a manager I
could validly countersign an employee's time card, expense account,
etc., with the expectation that it would hold up in the case of an audit
or other legal proceedings. (I could also sign or countersign a billion
dollar contract, but that wouldn't ipso facto make it valid.)
In particular, it appears to me that the use of a Title within a DN
does not assert a very strong claim to have any particular
AUTHORIZATION, and I would assume that most prudent companies
would take that same position. (Although if my title were President or
Chief Executive Officer I might have a pretty tough time escaping the
implied agency assumption.)
Does anyone see anything wrong with this approach?