Steve,
<The idea of the IANA registry for common attribute values was
<to establish a clearinghouse for attributes that are thought to be
<generally useful and which all PEM UAs should be able to support. An
<ID number seems to fit nicely in this category. I really think it
<makes sense to have multiple entries that are distinguished by
<inclusion of this sort of numeric ID attribute, but that it is harder
<to justify using CN to record this info in a second tier of entries
<below the "real" CN.
I am a little uncomfortable about the lack of specificity or
semantics of the X.509 '93 definition of a issuerUniqueIdentifier
or subjectUniqueIdentifier (UID), but I would gladly settle
for its use. Is the IANA going to establish such a use, and if so
when, and how do we determine which implementations are going
to support these uses?
The Note in para 6.3, page 9, of the 1993 version of X.509
says:
"Note--In situations where a distinguished name might be reassigned
to a different user by the Naming Authority, CAs can use the
uniqued identifier to distinguish between reused instances.
However, if the same user is provided certificates by multiple CAs,
it is recommended that the CAs coordinate on the assignment of
unique identifiers as part of their user registration procedures."
The first use, to differentiate between two users with the same
name (perhaps over time), would fit well with the employee number
concept.
The second use, for the case where the same user has multiple
certificates issued by multiple CAs, won't be necessary if the PEM
name subordination rules are followed, since there already will be
two unique DNs by the time you get down to the user's name. However,
this assumes that if a user has two different certificates, say one with
stronger assurance than another, that there will be two different CAs
involved, presumably distinguished at the Organizational Unit level.
But this is as bad a hack as some that I have suggested!
What happens if one CA is certified by two PCAs? Now there are
two different certificates with two different issuers, but no obvious
way to tell them apart from the Distinguished Name point of view
becasue these attributes are not "distinguished" attributes. Right?
Or am I being silly?