Steve,
I think you may have missed my point with regard to name subordination.
My example of having banks and/or other commercial organizations
act as a CA was merely intended to counter the assumption that
the government seems to be making, i.e., that the US Post Office
should "naturally" be the CA of choice for all residential persons.
Utility companies and wireline communications companies have at least
as good a knowledge of who lives at a given location as the Post Office,
for unlike the Post Office they send out bills and expect to be paid.
Also unlike the Post Office, they clearly do not enjoy sovereign immunity,
so they can be sued if they screw up too badly. Whether the PO has
sovereign immunity or would consent to be sued isn't clear, so if they fail
to do their job in an acceptable the individual or company who is injured
may not have any recourse.
Banks and other financial institutions do not have the direct, hardwired
connection to a person's residence that the utilities do, but they are a
trusted part of the infrastructure of society, and they could conceivably
play a role in issuing identification certificates to residential persons.
This would NOT necessarily be the equivalent of a credit card, unless
the bank has an agreement to that effect with the customer.
Of course the de facto identification organization is the Dept. of Motor
Vehicles in each state, because they issue driver's licenses and
require you to appear in person and identify yourself to get one
although it may be possible to renew by mail.). Unfortunately,
most state governments are so overworked and understaffed that it
is pretty unlikely that they would be willing to take on this additional
responsibility.
(As an interesting note, in Massachusetts the Registry of Motor Vehicles
is so backed up and unable to even answer the phone that they have
proposed using convict labor to perform some of these administrative tasks.
Now that ought to inspire a lot of confidence in the integrity of our
driver's licenses as a means of identification!)
Upon reflection, maybe I was making some assumptions that should be
specifically tested, in order to force the issue. Based on the discussions
you and I had with Hoyt Kesterson and Sead Muftic, I believe that we have
agreed upon the following model of civil naming authorities:
1. If only the country and organization is specified, it is assumed that the
organization is registered with (and guaranteed to have a unique name by)
a national-level body within that country. Within the US, that body is ANSI
for non-government organizations and GSA for government organizations.
Therefore, if a certificate says C-=US,O=XYZ Corp., that implies that
XYZ Corp. is registered with ANSI and guaranteed to have a unique name
(within ANSI's domain, at least), and the PCA or CA that certifies that
organization would be required to exercise whatever degree of due
diligence is required by its policy in corroborating that fact.
2. If a country and state (or province) and organization is specified, it can
be assumed (and the CA must assure) that the organization is registered
at the state level, usually with the Secretary of State of that state. Normally
this will apply to corporations, and the state would therefore be the state in
which it is incorporated. Certain partnerships and professional
organizations may also be chartered or registered at the state level.
3. If a locality is specified, then it can be assumed that the organization
is registered or known by the appropriate civil authority of that locality.
Various cities, towns, townships, counties or parishes may have different
governmental organizations which are responsible for this registration, but
presumably any organization doing business in that locality must obtain
a business license, and so it would to be possible to go to the town hall
and obtain records of mailing addresses, etc., as required to locate that
organization.
4. If an organization operates a facility outside of the state in which
it is incorporated, then except in the case of a nationally registered
corporation, the usage should be something like
C=US, S=DE, O=GTE Laboratories Incorporated, S=MA, L=Waltham,
CN="Robert R. Jueneman"
implying that although GTE Labs in incorporated in Delaware, their
offices (and their records) are in Waltham, MA.
5. In the case of an organization wich operates a branch office away from
its headquarters, the name should be something like
C=US, S=MA, L=Waltham, O=GTE Government Systems,
S=MD, L=Rockville, OU=Rockville Operations, CN=John Doe
In most cases the organization name that is used will be obvious. However,
in the case of complex organizations such as subsidiaries of holding
companies, consortiums, franchise operations, "doing business as" or
"trading as" concerns, etc., it is important that the full and complete
legal name be used in the certificate, and not just the trade name.
An example would be
C=US, S=MA, L=Waltham, O="Joe and Edna Nudnick, dba Kentucky Fried
Chicken of Waltham"
The implication of this is that if I wished to file suit against KFC of Waltham
for some reason, I should be able to go to the Waltham City Hall and find
the business license and other records concerning that business. Although
the city of Waltham did not issue the certificate, the PCA would be well
within its rights to issue that organization a certificate if they produced
a copy of their business license.
Now take the case of a residential person who happens to live in Waltham,
and again let us assume that the City of Waltham is not likely to issue
certificates in the foreseeable future. What should a CA do that wishes to
issue a certificate to that individual? Unless that person happens to
own property in Waltham, City Hall is not likely to have any record of that
person at all., except possible for a voter registration card.
What responsibility should the CA have to ensure that the person does
live in that locality, and how should they ensure that a globally unique
name is used? What happens if two different PCAs operate CAs, and
both issue certificates to people with the same name? It could be
that this is the same person, who choses to register under two
different PCAs because he wants to use one certificate under one PCA
policy for one purpose, and another for another. Or it could be that there
are two people with the same name at the same address, e.g., in a
large apartment where everyone has the same street address, or at
a school, or even in a prison.
It seems to me that coordination of these names is extremely awkward,
because there might be two different circumstances. I would prefer that
AT LEAST FOR PURPOSES OF THE X.509 CERTIFICATE, the user's
name be subordinated to the CA that issued the certificate. For
convenience in looking up that name in an X.500 directory, a more user
friendly alias can be created.
This would result in certificate containing something like
C=US, O="RSA Data Security, Inc.", OU="Residential High Assurance CA"
S=MA, L=Acton, CN="Robert R. Jueneman"
The entry in the X.500 directory might look like
C=US, S=MA, L= Acton, CN="Robert R. Jueneman"
but this alias would point to the full record.
Another entry might be
C=US, O="Trusted Information Systems" OU="Residential Medium Assurance CA"
S=Ma, L=Acton, CN="Robert R. Jueneman"
In this case, trying to use the same alias to point to two different
DNs would not be permitted.
Is this what we are saying, or have I gone too far?
Bob