Bahreman>A DN is to uniquely identify the user. It should not require the CA's
name in the users' DN.
Just think about how the DN can be specified later? Do you want to know or
care what CA I registered with?
Actulally, I think having the CA name in the DN is a source of global
incompatibility and non-uniqueness.
The CA name is required in the DN (name subordination) precisely to ensure
global uniqueness. In
a sense, the CA becomes a naming authority, and is responsible for ensuring
global uniqueness by
adding qualifiers as necessary. If the CA name is not included to identify the
naming authority,
how would you propose to prevent the possible duplication of names?
I extended the principle to cover residential persons, just to eliminate any
ambiguity as to who was
responsible for identifying the user. Yes I do care which CA you registered
with, particularly
if I want some assurance that you really are who you claim to be.
This is a well-established and pretty basic concept within PEM, although it is
not required by
the basic X.500 distinguished name construct. Am I missing something in your
questions?
Bob
P.S. I recently became aware of another potential problem. ANSI is not the only
name registration
authority within C=US. The government has two other naming authorities,
presumably one for
DOD and one for other, yet these naming authorities are only numbered, not
specifically named.
I'm not worried about the government registering as GTE, or a commercial user
registering
as the 114th Infantry Company, but Murphy's law will probably strike sooner or
later.
In any case it would be nice to know whether an organization enjoys soverign
immunity or not.
Maybe someone who has more familiarity with ANSI registration procedures could
straighten me
out if I have an incorrect understanding of this.