pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Residential CAs and DN subordination

1993-11-09 14:03:00
from [Steve Kent] [Permanent Link] 

Alireza,

        In a reply to Bob last month you stated "A DN is to uniquely 
identify the user.  It should not require the CA's name in the 
users' DN.  Just think about how the DN can be specified later?  
Do you want to know or care what CA I registered with?
Actually, I think having the CA name in the DN is a source of 
global incompatibility and non-uniqueness."

        The CA's DN is part of the user's DN because of the PEM DN 
subordination requirement that kicks in at the CA (but not IPRA 
nor PCA) tier.  Contrary to your assertion, the name subordination 
requirement contributes to the ease with which a CA can be assured 
that the user's names are globally unique, since the CA need only 
ensure that this name is unique among all those certified by this 
CA.  I do not understand what aspect of "global compatibility" you 
feel is affected by this requirement.

Steve

     ============= and another response ========================
To: Ali Bahreman <ali(_at_)ctt(_dot_)bellcore(_dot_)com>
cc: pem-dev(_at_)tis(_dot_)com
Subject: DNs (Re: Residential CAs and DN subordination)
----------
Ali,

        You did misunderstand 1422 in a message last month.  1422 
does require user DNs to be subordinate to CA DNs.  Yes, there is 
the potential problem that a user could already have a DN and not 
be able to be certified because that DN is incompatible with the 
name subordination requirement.  Let me explain why the name 
subordination requirement is viewed as important in PEM, as I fear 
it is frequently misunderstood.  

        Name subordination has several important features:  it makes 
globally unique name assignment easier, it protects users from 
rogue (or just careless) CAs, and it simplifies what must be 
displayed for a recipient of a message.  This last point is worth 
more discussion.  As specified, PEM requires only two data values 
be displayed for a user to uniquely identify a message originator 
or recipient and to assess the quality of the binding implied by 
that originator's or recipient's certificate.  The two values are 
the PCA name (or local alias) and the originator/recipient name 
(or local alias).  Without name subordination, a full 
certification path would have to displayed to prevent user 
spoofing.  Given the existence of a persona PCA, this is an 
especially important feature.

        With regard to the larger issue of user DN formats, I agree 
that this is a complex issue.  We probably cannot get along with a 
single DN in all instances, for the same reasons that we have 
separate credentials cards for ACM, IEEE, driver's license, 
passport, etc.  We could, in principle, have a single DN and just 
have each organization issue an authorization certificate tied to 
this basic identity, but this has the disadvantage of trying to 
make the single, unique identity to be descriptive as well.  The 
compromise we have is multiple DNs and certificates for 
organizational, residential, and other "roles" in which people are 
known.

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Residential CAs and DN subordination, Steve Kent <=
Previous by Date:  Re: Snakebites, CRL's and certificates, Steve Kent
Next by Date:  Re: CRLs Load with PCAs and CAs, Steve Kent
Previous by Thread:  Re: Snakebites, CRL's and certificates, Steve Kent
Next by Thread:  Re: CRLs Load with PCAs and CAs, Steve Kent
Indexes:  [Date] [Thread] [Top] [All Lists]