pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Syntax vs. semantics

1994-02-02 18:39:00
from [TCJones] [Permanent Link] 
Steve:

Paul>More importantly, an issuer must take care that a requested subject
name does not refer to a distinct object when creating a certificate.

Bob>I hope there was a typo in here somewhere???  Are you trying to
suggest that a CA which is not operating under an X.500 directory should
somehow be forced to ensure that the DN in the certificate that it
creates is not already in use within the directory?  Other than by using
name subordination and therefore name qualification, how would you go
about doing this?

Bob> What you are saying, I think, is that PEM should impose the
"syntax" rules (caseIgnore, etc.)  suggested for attributes listed in
X.520 when deciding whether two DNs are in fact the same.

Steve> How can it not impose the "syntax"?  If it doesn't, then two
strings which represent the same value will be treated as distinct.

Bob> I think that I'm suggesting that the issue of variant DNs within a
certificate is a red herring.  Even if you don't know the syntax
associated with an OID that you have never seen before, we can tell
whether or not there is an exact match FOR PURPOSES OF COMPARISON
BETWEEN CERTIFICATES.

Steve> Not quite.  I think you've just declared that a CA may use only
one form of a value when it issues a certificate.  Unfortunately, that
also opens the door for issuing certificates for Sally A.  Smith and
Sally a.  Smith and meaning that they're separate people.


It seems that TIS is claiming that it is possible to declare in some way
that two DN's represent the same "PERSON", but that much of what Bob has
been saying (all along) is that we need DN's to be more discriminating
between the same "PERSON" with different (as an example of an AVA)
roles.  This problem seems to strike at the core of the difficulty of
treating the DN as a means of establishing the identity of the "PERSON",
vis.a.vis the use of the DN as an index for a certificate.  (So that PEM
can retrieve that certificate.)  IMHO it is presumptuous for any
software package to take on the task of establishing the identity of a
"PERSON".  If the DN is different, it is different!  What else is there
to be said?  And if the software starts equating "PERSONS", where is it
to stop?  That is, which inference rules are purely syntactic and which
are semantic (carry meaning)?  (a real question - is Harry S.  Truman
the same as Harry S Truman?)

Peace ..Tom
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Syntax vs. semantics, TCJones <=
Previous by Date:  Re: CA Names, jueneman%wotan
Next by Date:  Re: CA Names, Mike Roe
Previous by Thread:  Use of PEM increasing?, jueneman%wotan
Next by Thread:  Re: Syntax vs. semantics (Was: CA names), jueneman%wotan
Indexes:  [Date] [Thread] [Top] [All Lists]