Re: Re: CA Names

I begin to see the problem here. 

What you are saying, I think, is that PEM should impose the 
"syntax" rules (caseIgnore, etc) suggested for attributes listed 
in X.520 when deciding whether two DNs are in fact the same.

But where should we stop? Should we reject a DN for inclusion in
a certificate if it doesn't meet our understanding of what a "reasonable"
directory schema should be, even though Subschema Administrative
Authorities and/or Autonymous Administrative Authorities can define 
their own unique schemas? 

I understand that equivalence classes of names are necessary for
directory searches and even reads. But are we certain that we need to have
such a construct for DNs in a certificate?

I agree that we ought to require a certain amount of canonicalization
of the DN before we consider it acceptable for PEM purposes, and a PEM
CA could enforce those rules. But other than removing multiple consecutive 
blanks, what else would we propose? 

In particular, as part of the "CA Guidelines for Name Registration" 
document that I am trying to put together for the ABA, I am suggesting
that organization names in particular be the precise legal name by which
an organization is known. Since that name is derived from either
a national registration authority (ANSI), or by virtue of being incorporated
or otherwise registered by the Secretary of State of a state or province,
or by being listed on a business license within a state and locality,
it would appear to me that there is one and only one name that is allowable.

If someone registers "IBM", meaning International Business Machines Corp.,
and someone else is allowed by the Secretary of State of the Federated Iislands 
of 
Micronesia to register as "ibm" meaning Itty Bitty Movers, who are we to say 
that those names "ought" to be the same?

I think that I'm suggesting that the issue of variant DNs within a certificate 
is
a red herring. Even if you don't know the syntax associated with an OID that
you have never seen before, we can tell whether or not there is an exact
match FOR PURPOSES OF COMPARISON BETWEEN CERTIFICATES.

Trying to do more would simply come to grief with aliases in any case,
or so it would seem to me.

I've probably oversimplified this.  It seems too easy??

Bob

<Prev in Thread]	Current Thread	[Next in Thread>
Re: CA Names (text format of names, really), (continued) Re: CA Names (text format of names, really), Christian Huitema Re: CA Names, warwick (w.s.) ford Re: CA Names, Paul C. Clark Re: CA Names, Steve Kent Re: CA Names, Paul C. Clark Re: CA Names, Stephen D Crocker Re: CA Names, Steve Kent Re:CA Names, jueneman%wotan Re: CA Names, Stephen D Crocker Re: CA Names, Amanda Walker Re: Re: CA Names, jueneman%wotan <= Re: CA Names, Stephen D Crocker Re: CA Names, Mike Roe Re: CA Names, Jeff Kimmelman Re: CA Names, jueneman%wotan Re: CA Names, John Lowry Re: Re: CA Names, jueneman%wotan Re: CA Names, jueneman%wotan Re: CA Names, warwick (w.s.) ford Re: Re: CA Names, jueneman%wotan Re: Re: CA Names, warwick (w.s.) ford

Previous by Date:	Re: CA Names, Stephen D Crocker
Next by Date:	Re: CA Names, Stephen D Crocker
Previous by Thread:	Re: CA Names, Amanda Walker
Next by Thread:	Re: CA Names, Stephen D Crocker
Indexes:	[Date] [Thread] [Top] [All Lists]