pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

issuerUniqueIdentifier in 1992 X.509

1994-01-20 14:24:00
from [Robert W. Shirey] [Permanent Link] 
Probably a dumb question, and sorry if this has already been asked or
discussed, but ...

1992 X.509 certs have two OPTIONAL fields that were not in 1988:
issuerUniqueIdentifier and subjectUniqueIdentifier.

The user's unique identifier contains "additional ifnormation about the
user.  The exact form of the unique identifier contents is unspecified here
and left to the certification authority and might be, for example, and
object identifier, a certificate, a date or some other form of
certification on the validity of the distinguished name. ... Note:  In
situations where a distinguished name might be reassigned to a different
user by the Naming Authority, CAs can use the unique identifier to
distinguish betwen reused instances.  However, if the same user is provided
certificates by multiple CAs, it is recommended that the CAs coordinate on
the assignment of unquie identifier as part of their user registration
procedures."

What really motivates these new fields?  Would they allow PEM to do
something useful that it now cannot, or do they create potential
noninteroperable confusion?

In particular, is it true that the "AANSI X9.30 standard requires that the
issuer unique identifier field be filled in.  This field will contain
information that allows the private key used to sign the certificate to be
uniquely identified.  The subject unique identifier field is optional."

In the second sentence of the paragraph above, does that equivalently mean
that the issuerUniqueIdentifier allows me to uniquely identify the public
key that I need to use to verify the certificate?  How do I do that; look
for a certficate where that issuer is the subject and that
issuerUniqueIdentifier is the subjectUniqueIdentifier?

If that field is necessary for that purpose in X9.30, and if PEM/1988 X.509
does not have it, what assumption in PEM allows us to identify the public
key we need to verify a certificate?

That is, ignoring for the moment all the other information that Bob
Jeuneman wants to put in certificates, would the added
issuerUniqueIdentifier, with the X9.30 twist, just make it easier or more
efficient to do what PEM already does, or does it add functionality?



Regards, -Rob-    Robert W. Shirey  SHIREY(_at_)MITRE(_dot_)ORG
tel 703.883.7210, sec 703.883.5749, fax 703.883.1397
Info. Security Div., The MITRE Corp., Mail Stop Z231
7525 Colshire Drive, McLean, Virginia 22102-3481 USA

Wisconsin Badgers (10-1-1)  Best Badger Record Ever!
'93 Big Ten and '94 Rose Bowl Champs, #5 in UPI Poll
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: A user's perspective of PEM, Steve Kent
Next by Date:  Re: A user's perspective of PEM, Kenneth R. van Wyk
Previous by Thread:  State and locality naming, jueneman%wotan
Next by Thread:  Re: issuerUniqueIdentifier in 1992 X.509, Ella P. Gardner
Indexes:  [Date] [Thread] [Top] [All Lists]