Apparently simple questions on this subject become very
complex very quickly. I won't profess to be an expert either.
A major part of the problem is that we don't have any
working X.500 directories, at least on any significant
scale. and unless you have been following the North
American Directories Forum (and I haven't been), you
won't know what the various X.500 service providers
are thinking.
I may be misunderstanding RFC 1422, however, I do not believe that the
RFC requires the DN of individual users to be "subordinate" to their
issuing CA's DN. And I think it should not. However, the Certificate
hierarchy can, as it does, impose "subordinate naming" restrictions
for the DNs used to identify the CAs in the hierarchy (except PCAs).
I don't have the RFCs in front of me. But all of the PCAs that I am aware of
require the user's name to be subordinate to the CA's name.
I quote from RFC1422: Section 3.3.4 on Subject Name
... A distinguished name is an X.500 directory system
concept and if a user is already registered in an X.500
directory, his distinguished name is defined via that
registration. ...
What are the chances that if I am already registered with X.500, my DN
will include some CA's DN (e.g. ...O=RSA-DSI-CA) ? Not likely.
I tend to disagree. At least within the US, X.500 service providers are
most likely to be individual companies who register their own employees.
Maybe we will eventually get to the point where all of the RBOCS and
other local exchange carriers list all of their customers in an X.500 directory,
but it is not clear to me even then that the so-called "civil naming authority"
will be used to define a residential person without further qualification.
(Back in the good old days of Ma Bell, maybe the phone company could
be equated to a civil naming authority. But now that we have competition
in the long distance arena and increasing competion for basic dial tone
service, this is no longer the case. Who is going to register you -- your
telephone company, your cellular company, your paging company, the
post office, UPS, Federal Express, ...? In my house, for instance, I have two
incoming land lines, each served by a different long distance carrier. I also
have a cellular line for emergency backup and overflow, plus two mobile
cellular phones. I don't yet have a beeper, but I do have a FAX. I would
love to have someone integrate all of that information in one place, but
I would also want to control who has access to it. I don't see any one
carrier or other directory service provider providing this functionality.
Businesses have the same need internally, and they are more likely
to provide the X.500 service locally, then extended it regionally.
Businesses are also FAR more likely to be issuing certificates for their
employees, at least until the banks get into the act. Given the current
political climate, the only reasonably sure bet is that it WON'T be your city
or the state Department of Motor Vehicles that provides these services.
IMHO, of course:)
I think that CAs should not become "Name Registers". It is not their
business to manage uniqueness of DNs. It is their business to verify
(as good as their policy states) that a user is really who s/he claims
to be and bind their identity to their public key by signing their
certificate.
Again, I disagree. If you really want to guarantee global name uniqueness,
then concatenate the individual's recorded birth name, the maiden name of
mother, and the date, time and (fully-qualified) place of his birth. Then
hash all of that with MD5 and you'll have an ID that is probably unique.
Otherwise, if I want to send a letter to John Jones, I'd better qualify
his name with some more information about him, such as his address. And
since I am probably corresponding with him in a business capacity and
business face these problems routinely, it seems perfectly reasonable for
the CA (i.e, the person's employer) to ensure the global uniqueness of
the name through a name qualification scheme.
Even then, the DN format should not allow use of attributes that can
change or in any way imply the capabilities a user may have (not even
an organizational affiliation, to avoid its use for access control and
authorization). Much less having the DN of a CA (as a name registration
authority) included in the DN of users. It would be nice if we
could separate the DN itself from the name registration auithority.
There are several problems that are raised if one uses DN semantic to
make access control decisions or any thing else DNs are not meant for.
As i understand it, a DN is simply a unique way of identifying an
entity.
As you may have gathered, I strongly disagree here. Assuming that we
use digital signatures and encryption for anything more important than
idle cocktail party chatter, the organizational affiliation of an individual
lies at the core of who that person IS, in a very real sense. This may not
be politically correct or sufficiently utopian for some, but I think it is a
FACT.
Virtually all of my correspondence is done for business purposes, where
a record may be desired and it may be necessary to obtain concurrence
of others and/or inform them -- just as we use pem-dev. If I want to converse
with my wife, daughter, parents, or friends, I call them on the phone. I can
type faster than I can write, but I can talk faster yet.
When I correspond with someone, I make judgments about that person
based on who he or whe works for, what line of business they are in,
whether they are potentially a competitor or an ally, whether they seem
to know what they are talking about, etc. For instance in your case,
because I know a lot about Bell Labs, I almost automatically give you
more attention and credence than if you worked for Acme Plumbing and
Septic Tanks, Inc. Now maybe Acme has an active R&D program in
Privacy Enhanced Mail and X.500, and maybe I would be doing someone
who worked for them a serious disservice by not giving him more credence,
but times are tough and life is short.
Why should I (as one individual in planet Earth) have several DNs?
Why should I not be able to use any one of my DNs to identify myself
wherever I need to do so? If a single DN is truely Distinguished,
what is the need for more than one?
Because we all take on different identities and roles at different times,
and we have different functions and authorizations, at least implicitly,
for each of those roles. And finally, when I sign my name, it means
different things depending on which role I am playing at the moment.
My personal life is one thing, my business is another. I may also have
a sideline or avocation, and I may keep a separate set of accounts
for this second business. I might also be the secretary of the bowling
league, the custodian of the office coffee club kitty, etc. Each of these
functions are kept in different "pockets", and each has a different set of
capabilities and authorizations, even if they are not always formally
expressed.
I hope this has helped, but by the way you are certainly not obligated
to agree with me. In fact, you'll be in good company!
Regards, Bob