In a previous message that got overlooked in the flurry of responses
regarding assurance and liabilities, I asked a question about
the duration or scope of a Distinguished Name over time.
Everyone knows that a Distinguished Name has to be globally unique.
But for how long? From the instant it is assigned until the Certificate (if any)
expires? Until the association with the individual and the DN is no longer
valid?
For the life of the individual? For ever?
I don't recall anything in X.500 which addresses the issue, but I would
imagine that their intent was that the X.500 directory represents a snapshot
of the current DNs and their attributes, with the view that these attributes
will
vary over time.
But from the point of view of authenticating a document in the archives many
years later, it is important that we clearly understand the temporal semantics.
(It is bad enough that the UCST time is modulo 100 years--couldn't they have
afforded just another byte or two?)
Obviously it will be necessary to cache the orginator's certificate, along with
his entire certificate chain and the message itself, even if the originator
did not include his certificate or the certificate of his CA or PCA in his
original message. In addition, for _true_ nonrepudiation, it may also be
necessary
to includea trusted timestamp on the message together with the next CRL issued
by the CA after the timestamp. Finally, unless we can somehow resolve the
question
of how often a PCA is allowed to change its policy without chaning its
certificate, it
may be necessary to include the PCA's policy as well.
But all this assumes that the originator can be identified by his DN. What if
someone else is allowed to reuse that DN at another point in time, e.g., after
the first person has left the CA's organization or died? It would appear that
all sorts of confusion could conceivably arise.
It seems to me that is one of the best reasons for using employee numbers that
are allocated sequentially and never reused, and why I think they should be
included
in the DN somewhere. The other reason is to take care of the situation where
there are two John Jones working for the same company, and lets say that
they both work in the same OU. Do we force one to change his name to John
"The Hunk" Jones?
Now let's think about the Persona CA. What happens at the expiration of the
certificate containing a particular DN? Is someone else allowed to register for
the same name?
I can imagine that the PCA might allow the original user to request that a new
certificate be issued for the old DN, and if he did that before his certificate
expired
he could authenticate his request using his current certificate. After that, his
request could not be authenticated except by ignoring the expiration date.
If the original persona dies or retires, should someone else be able to lay
claim
to his mantle of greatness or infamy, as the case might be? Elvis Lives!!!
Likewise, if I were to go to work for another company, is there any way that
I could establish the fact that I was still the same person, now with a
different
DN?
I understand from Mark Wohl that one proposed use of the UID field would be to
differentiate between two different certificates (e.g., one that uses RSA and
one
that uses DSS and Diffie-Hellman). It would appear that these two uses would
conflict
with each other.