If PEM is to be used in conjunction with X.500 name and certification
structures used for other purposes, I believe it will be necessary to
improve the naming convention for CAs. Below I document the suggestion
I discussed with some of you in New York.
A major concern with current PEM naming rules is that one cannot have
multiple CAs (at least not CAs with different key pairs) at the same
point of the naming tree. I believe this is an important requirement
for various reasons including (for organizational CAs):
- different CAs to handle different subsets of the organizational
namespace, but not divisable in accordance with the DIT structure
(e.g., different assurance characteristics for employees working on
certain projects);
- CAs at different sites for backup or load-share purposes;
- old-technology CA and new-technology CA, both in operation for an
overlap period.
For residential CAs, the same requirement is apparent. In particular,
the ability to have multiple CAs operated by different agent
organizations each dealing with some subset of the namespace (say, of a
State), but not a subset that corresponds to a subtree of the DIT.
The possible use of poly-instantiated CAs sharing the one key pair does
not solve this adequately. It is not suitable for
organizations wanting to allow for multiple vendors (e.g.,
governments), for mixed technologies, for smart-card-based CAs, for a
mixture of operating agents, or for those wishing to follow the
oft-favoured policy that a signing key should NEVER leave the one
tamperproofed-enclosure in which it was generated and is used.
Given this requirement, I would like to suggest a new PEM convention,
which satisfies this requirement and also has some other
benefits with respect to concerns raised previously on
pem-dev. In particular, it gives a separate directory entry for a CA
than for the O or OU node to which it relates. (Can therefore use
various directory attributes much better, e.g., a different telephone
no. for the CA than for the O itself, etc.)
While the main concern is with CAs, I extend the proposal to PCAs for
consistency.
The suggested new convention is:
(a) Define, in the PEM spec, two special directory attributes, say CA=
and PCA= (with attribute-syntax caseIgnoreStringSyntax; assign IETF
OIDs).
(b) A CA logically relates to a node in the "regular" DIT, e.g., an O
(org), OU, or SP (state/province) node. Let us call this the
"associated node" for a CA.
(c) In the DIT, a CA is immediately subordinate to its associated node
and must have an RDN of the form CA=... (Example: For associated node
/C=US /O=Northern Telecom/, there might be a CA with name /C=US
/O=Northern Telecom/CA=Primary CA/.)
(d) A CA may only issue certificates for DNs which are subordinate to
the DN of its associated node (i.e., the basic name subordination rule
is preserved).
(e) For a PCA, similar rules (excluding (d)) can apply.
(f) The attributes CA= and PCA= may only be used in accordance with
the above.
Such a convention could operate as an alternative to, and in parallel
with, the current CA naming convention, at least over a period of
migration. In the long term, it might be worthwhile making this the
only convention. An advantage is that it would then be extremely easy
to recognize (either by software or by a user) any DN (certificate) as
being that of a PCA, CA, or something else.
Warwick Ford,
Bell-Northern Research, Ottawa
????????????????????????????????????????
????????????????????????????????????????
?????????????????????????????????????