An alternative to the introduction of new attribute types or the adoption
of a dirty hack is my following proposal which would solve some but
not all points raised in Warwick's original message on this topic:
A RelativeDistinguishedName may be composed of a set of
AttributeValueAssertion (AVA). Let the DistinguishedName of my organization,
for instance, be
C=DE; O=GMD (don't mind the abbreviation)
and let's allow the DistinguishedName of GMD's CA to be
C=DE; O=GMD % ObjectClass=certificationAuthority
(the semicolon separates RDNs while the '%' separates AVAs within one RDN in
this notation).
ObjectClass is an X.500-defined attribute type which necessarily exists in
each Directory entry, and the attribute value certificationAuthority is an
X.500-defined object identifier which is restricted to CAs.
If we now modify the name subordination rule in that we say
"When a PEM UA compares RDNs in order to enforce DN subordination,
it shall ignore the AVA "ObjectClass=certificationAuthority."
we would allow GMD's CA to certify, for instance
C=DE; O=GMD; CN=Wolfgang Schneider, or
C=DE; O=GMD; OU=Department of ... % ObjectClass=certificationAuthority
We would have the following benefits:
- It allows organizations (or OUs) to maintain different Directory entries
for their organization (or OU) as a whole, and the organization's CA. This
might be useful if one wishes to publish different attributes or different
attribute values for the organization and the organization's CA, e.g.
different telephone numbers, descriptions, roles etc, and it would allow
to establish different access control rights.
- It preserves the entire functionality of the DN subordination rules as they
are now.
- It allows also to establish DN schemes as they are required by the current
DN subordination rules.
- It would not affect any existing X.500 DSA or X.500 DUA.
- It would require only a very small modification of the current RFC 1422.
Since the attribute value "certificationAuthority" is an object identifier, we
would probably need a recommendation how a PEM UA shall display this AVA
to the user.
A second alternative which would come closer to Warwick's original proposal
is that the DN of a CA which serves a subtree of the DIT is immediately
subordinate to its associated node (as Warwick proposes) a n d has an
AVA "ObjectClass=certificationAuthority" in its last RDN. This would avoid
the introduction of a new attribute type. Such a solution would certainly
offer more flexibility, but would require a major change of the DN subordi-
nation rule. However, I'm convinced that also in this case the functionality
of the current subordination rules would be preserved.
In order to make CAs and PCAs distinguishable without introducing new attribute
types, I can imagine to use a combination of ObjectClass=certificationAuthority
and an attribute type like "description" or the new "dnQualifier" with a
standardized attribute value.
Wolfgang Schneider