Bob
I researched RFC1422 yet again on Distinguished Names and rediscovered a
muddle of ideas with no obvious guidance. This may be intentional, but
it leads to a variety of different interpretations.
In section 3.3.4-Subject Name "Users who are not registered in a (X.500)
directory should keep in mind likely directory naming structure (schema)
when selecting a distinguished name for inclusion in a certificate."
In section 3.4.1.2-User Registration "Most details of user registration
are a local matter, subject to policies established by the user's CA and
the PCA under which that CA has been certified. In general a user must
provide, at a minimum, his public component and distinguished name to a
CA, ..."
In section 3.4.2.4-Distinguished Name Conventions Certificates..."will
be for users or for other CAs, either of which must have DNs subordinate
to that of the issuing CA." and "The attributes employed in constructing
DNs will be specified in a list maintained by the IANA, to provide a
coordinated basis for attribute identification for all applications
employing DNs. This list will initially be populated with attributes
taken from X.520. (All??? Part??? Some??? - not clear) This document
(RFC1422???) does not impose detailed restrictions on the attributes
used to identify different entities to which certificates are issued,
but PCAs may impose such restrictions as part of their policies. PCAs,
CAs and users are urged to employ only those DN attributes which have
printable representations, to facilitate display and entry."
That pretty much seems to be it. There are several other groups in
North America and elsewhere that seemed to be determined to limit the
assignments of DN's, but these are vague and probably not enforceable by
anything short of a national monopoly.
The limitation to printable representations may or may not limit the use
of role, depending on whether this interpreted to be a Distinguished
Name (which is defined in X.501) or a Distinguished Encoding (which is
defined in X.509). The relationship between names and encodings is
nowhere clear. Many seem to feel that names are a part of ASN.1 and not
of the encoding, and therefore should be completely printable. The only
problem I see with this is that the codes used for the attribute type in
the printable strings (c=, l=, t=, etc.) are not really formalized and
even so mundane an item as StateOrProvince is coded as st= in the US and
sp= in Canada.
By the way, two cn's in a DN are not illegal under X.509 any more than
two ou's would be. That doesn't mean that I suggest that anyone do it.
I cant say from my own personal experience that IANA has taken up the
task given to them by implication in RFC1422 or even that IANA exits.
Since GTE will be establishing their own CA, it is up to GTE to find
distinguished Names for its employees subject to the PCA only. And if
you don't like what one PCA tells you, go find another. And since
you're a telephone co., just become an administrative domain, build your
own directory and put your employees in it, surely no one could stop you
from doing that.
Ain't competition won'erful!
Peace ..Tom Jones