pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: PCA Policies

1993-08-20 04:36:00
from [jueneman%wotan] [Permanent Link] 
Bob>

On the other hand, if a certificate contained



C=US, O=GTE Labs,
organizationalRole={CN="Chief Financial Officer +
        roleOccupant=
             (C=US,O=GTE,CN="Frank Strouse" + 
                      Title="Director, Finance and Administation" +
                      Serial=007)
    }



Mark -- Please correct me if this use of a nested multivalued RDN
is not correct. 

 

Yes, I believe it is possible that an RDN component may be an attribute
with DN syntax, i.e. roleOccupant or seeAlso.  [What PEMs support this,
though?]


I'd like to ask the major PEM developers to respond to this question, as without
this capability what we are proposing for the RSA Commercial Hierarchy may
not be workable.


I'm also more than a little confused about the 
syntax that is used to indicate an organizational role, since an 
organizationalRole is an object class, not an attribute.>



There is no DN syntax for this.
Distinguished Names do not indicate what the object class is of the
object which they're naming.  Without a Directory system, it's not 
really possible to tell.  User Agents tend to guess based on the 
RDN: countryName attribute implies country, organizationName implies 
organization.  However, the object classes person, organizationalRole,
groupOfNames, applicationProcess, applicationEntity, and device are all named>
by the commonName attribute in X.521(93) Section 3.



I don't understand how an organizationalRole would be indicated
if there is no role occupant, because a common name is used to 
indicate the role. How would you tell the difference between a 
person's name and a role name?



X.521 does not require that an organizationalRole have a roleOccupant.


Then I agree with a position previous taken by TCJones, and disagree with 
Steve Kent. The only example that I can think of that makes some sense for
an organizationalRole without a designated roleOccupant is the kind of
"Quality checked by Inspector #7" ticket you sometimes find in a pair of
pajamas. Basically, this is meaningless noise.

I would therefore propose that we use the existance of the roleOccupant
designation in the DN to imply an organizationalRole in those instances where
there is no underlying directory structure, e.g., in an X.509 certificate
used with PEM alone.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The relationship between an entry and a real-world object, Mark Wahl
Next by Date:  dname rules (was: Re: PCA Policies), Stephen D Crocker
Previous by Thread:  Re: PCA Policies, Steve Kent
Next by Thread:  dname rules (was: Re: PCA Policies), Stephen D Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]