Name Subordination

Consider the following two examples of proposed distinguished names
for PCAs:

countryName=US, stateOrProvinceName=MD, organizationName=Trusted
Information Systems PCA

countryName=US, organizationName=RSA Data Security, Inc.,
organizationalUnitName=Low Assurance Certification Authority

On the surface these look like reasonable distinguished names but two
things are confusing to me.  If I just look at the X.500 recommendation
and ignore the differences between PCAs and CAs it would seem that
the above have some inconsistencies with X.500.  Each one of the
above RDNs came from some object class.

AttributeType           ObjectClass
___________________________________
countryName             country
stateOrProvinceName     locality
organizationName        organization
organizationalUnitName  organizationalUnit

Everything seems fine until we get to the
organizationName for TIS and organizationalUnitName for RSA.  Here
it seems like we are overloading the objectclass with multiple roles.
The Name of the organization, as well as the fact that it is a PCA.  X.521
defines the following objectClass:

certificationAuthority OBJECT-CLASS
        SUBCLASS OF top
        MUST CONTAIN {
        cACertificate,
        certificateRevocationList,
        authorityRevocationList}
        MAY CONTAIN {crossCertificatePair}
::={objectClass 16}

This as defined in X.521 is not exactly what is probably desired but
if I just make the following modification:

certificationAuthority OBJECT-CLASS
        SUBCLASS OF top
        MUST CONTAIN {
        cAName,
        cACertificate,
        certificateRevocationList,
        authorityRevocationList}
        MAY CONTAIN {crossCertificatePair}
::={objectClass 16}

then the previous DN could be changed as follows:

countryName=US, stateOrProvinceName=MD, organizationName=Trusted
Information Systems, cAName= TIS PCA

countryName=US, organizationName=RSA Data Security, Inc.,
cAName=Low Assurance Certification Authority

With this signed DN the signer is then clearly stating that this is
a CA where as a user DN would look more like:

countryName=US, stateOrProvinceName=MD, organizationName=Trusted
Information Systems, commonName= Joe Smith

To fully support PCAs and possibly the IPRA it seems reasonable for
PEM to define additional object classes for both.  If this is done
it would also be reasonable to define the objects such that they
enforce the PEM tree structure by requiring PCAs be a subclass of
IPRAs and CAs a subclass of PCAs.  With these additional objects you
could then clearly identify the difference of a CA, PCA, IPRA, user, 
process, or what ever.

<Prev in Thread]	Current Thread	[Next in Thread>
Name subordination, jueneman%wotan Re: Name subordination, Steve Kent Name Subordination, Matthew McGillis <= Re: Name Subordination, Steve Kent Re: Name Subordination, jueneman%wotan Re: Name Subordination, Matthew McGillis Re: Name Subordination, Steve Kent Re: Name Subordination, p . churchyard Re: Name Subordination, Steve Kent Re: Name Subordination, Stephen D Crocker Re: Name Subordination, Steve Kent

Previous by Date:	Re: Name subordination, Steve Kent
Next by Date:	Re: Name Subordination, Steve Kent
Previous by Thread:	Re: Name subordination, Steve Kent
Next by Thread:	Re: Name Subordination, Steve Kent
Indexes:	[Date] [Thread] [Top] [All Lists]