Tom,
A couple of notes on your response to Bob Jueneman's
certificate wish list message:
- Yes, one could encode an employee's ID number in the serial
number field if these numbers are guaranteed to be unique.
- The name in a certificate is a DN, and some of the other
attributes you note in your message seem unlikely to be distinguished
attributes in most people's idea of appropriate schema. The problem
Bob has is that he is trying to add attributes to the certificate to
provide useful information from a security standpoint, but these
attributes are not appropriate as distinguished attributes from an
X.500 standpoint.
- A DN defining a role would not have a CN for the role
occupant, I think. If you look at the object classes in X.500 you'll
see that the semantics of role and role occupant go together. I would
expect a DN for a role, and the entry corresponding to the DN could
have an attribute that specifies the DN of the role occupant, but the
role occupant would not be a distingusihed attribute and this should
not be in the subject name for the certificate corresponding to that
entry.
- The same reasoning applies to attributes that indicate the
assurance level the hardware and procedures used by a CA; these are
interesting aspects of the CA and the user's he certifies, but these
"attributes" have no place in the DNs of either.
Steve