pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Naming and Certification

1994-03-28 04:15:00
from [Francisco Jordan] [Permanent Link] 

Folks,

My very particular opinion about naming is that trying to use names as
the basis for solving all the problems of certification is not the
solution. Trying to continuously search for mechanisms and procedures
for re-defining and handling names in one way or the other is not the
solution.

Let me write some of my thoughts.

In the daily life I always use my name in the same way, why do I have to
be named in different ways when I go into certificates for one or other
purpose?
Unambiguous identification is not a problem in current practices, even
having ambiguous naming. Suppose the case that two persons live in the
same country, city, street, building, apartment and even "they have the
same name". Does this means that both will be issued with an identical
identity card? No, at least the identity number and the signature will
be different. Even the photo can be the same (imagine twin brothers). In
this case, Will the certification authority allow to register both under
the same name? I realized that NO!

Imagine that, in Spain, people is now issued with a residential
certificate stored in a smartcard. For instance my name appears in the
certificate as "C=ES; L=Barcelona; PA=av. street, 123 3-1; CN=Francisco
Jordan".
Now, my company wants to issue me a certificate in order to
locate/identify me in the context of the organization. The
organizational register requests me the residential smartcard and then
issue me a certificate with name holder "C=ES; O=UPC; CN=Francisco
Jordan".
Does that make sense to me? Yes! I want to keep separate my social and
working life. I do not want that professional mail, telephone calls,
etc. be sent to my habitual residence.

As I am now working, I have money!! So I want to have my own credit
card. I am going to my favorite bank ("Banco Muchamoney") to open an
account. The employee request me the residential smartcard, he/she opens
the account and issue me with an account certificate. I also request
him/her to issue me with tow credit cards, namely; X-Card and Y-Card.
How should my name look like in all certificates? How should the issuer
name look like in all certificates?
Suppose that the bank wants (has) name "C=ES; O=Banco Muchamoney".
It seems to me that the current thought on naming will lead to the
following certificates.

- Account certificate:
     IssuerName: "C=ES; O=Banco Muchamoney; OU=Accounts"
     SubjectName: "C=ES; O=Banco Muchamoney; OU=Accounts; CN=Francisco
Jordan"

- X-Card certificate:
     IssuerName: "C=xx; O=X-Card; OU=Spanish Branch; OU=Banco
Muchamoney"
     SubjectName: "C=xx; O=X-Card; OU=Spanish Branch; OU=Banco
Muchamoney; CN=Francisco Jordan"

- Y-Card certificate:
     IssuerName: "C=xx; O=Y-Card; OU=Spanish Branch; OU=Banco
Muchamoney"
     SubjectName: "C=xx; O=Y-Card; OU=Spanish Branch; OU=Banco
Muchamoney; CN=Francisco Jordan"

This means that "Banco Muchamoney" has been certified under X-Card and Y-
Card as follows:

- X-Card:
     IssuerName: "C=xx; O=X-Card; OU=Spanish Branch"
     SubjectName: "C=xx; O=X-Card; OU=Spanish Branch; OU=Banco
Muchamoney"

- Y-Card:
     IssuerName: "C=xx; O=Y-Card; OU=Spanish Branch"
     SubjectName: "C=xx; O=Y-Card; OU=Spanish Branch; OU=Banco
Muchamoney"

...or something like this.


But, I would certainly prefer something "more natural" like the
following:

- Account certificate:
     IssuerName: "C=ES; O=Banco Muchamoney; OU|CN=Accounts"
     SubjectName: "C=ES; L=Barcelona; PA=av. street, 123 3-1;
CN=Francisco Jordan"

- X-Card certificate:
     IssuerName: "C=ES; O=Banco Muchamoney; OU|CN=X-Card"
     SubjectName: "C=ES; L=Barcelona; PA=av. street, 123 3-1;
CN=Francisco Jordan"

- Y-Card certificate:
     IssuerName: "C=ES; O=Banco Muchamoney; OU|CN=Y-Card"
     SubjectName: "C=ES; L=Barcelona; PA=av. street, 123 3-1;
CN=Francisco Jordan"

This means that "Banco Muchamoney" has been certified under X-Card and Y-
Card as follows:

- X-Card:
     IssuerName: "C=xx; O=X-Card; OU|CN=Spanish Branch"
     SubjectName: "C=ES; O=Banco Muchamoney; OU|CN=X-Card"

- Y-Card:
     IssuerName: "C=xx; O=Y-Card; OU|CN=Spanish Branch"
     SubjectName: "C=ES; O=Banco Muchamoney; OU|CN=Y-Card"


Which are the advantages of these certificates:
- I always have the same name, and the certificates express a explicit
relationship between the bank and myself as a residential person (or
organizational if I use my other DN).
- The bank decides and controls its own names at convenience.
- Individual names are more descriptive, i.e. each name clearly states
the object that is naming (a bank, a residential person, a credit card
company).
- Names in a certificate clearly express the relationship between issuer
and subject (a bank and a person, a credit card company and a bank). So,
as a whole, the certificate is more descriptive.

The question now is: In the validation process, how can a verifier
distinguish among my three certificates, i.e. Account, X-Card and Y-
Card? The question is even more interesting if you allow "Banco
Muchamoney" to use a unique key pair, so that the signature in my
certificates were issued by using the same private component. Now, you
have not name subordination, so it is possible that my Y-Card
certificate can be validated by using the bank X-Card or Account
certificate.

The answer is: Put explicit certification information in each
certificate. If you want a direct-unbreakable _certification_
relationship between subject and issuer entities, make it explicit, but
why disturb names for this purpose (this is not the case of direct
_naming_ relationship, in which naming hierarchy is wise).
If we use something like an object identifier, i.e. a chain of numbers
representing the nodes of a tree, we can make explicit a hierarchy of
certificates by representing the certification authorities as the nodes
of an OID (OIDs have been used so far for hierarchically registering
objects). Then, we can explicitly represent the hierarchical
relationship along the certification tree while preserving names for his
designated purpose.
Like in standard OIDs, the root nodes will contain relevant information
about the administration of the tree. In a certification tree, the root
node will hold a top-level authority and the second node a policy
authority (see my previous mails).
I like very much a sentence written in "The Open Book" from M.T.Rose.
Let me reproduce it:
"Central to the notion of the OBJECT IDENTIFIER is the understanding
that administrative control of the meanings assigned to the nodes may be
delegated as one traverses the tree".
Now, change "OBJECT IDENTIFIER" by "HIERARCHICAL CERTIFICATION TREE".

I absolutely agree that name subordination is a good method for
controlling delegation, but in particular situations not in all the
cases. For instance, in the example above, the employees of "Banco
Muchamoney" will have names subordinated to its organization, but
customers should not. When I see name subordination in a certificate, I
understand the fact that the subject object is fully subordinated to the
issuer in the sense that the latter controls the former. When I see a
certificate without name subordination, I understand that the subject
object and the issuer have some kind of relationship (certification
relationship) or agreement for that the issuer grants some privileges to
the subject, but does not necessarily control it.

By having the following certificate:
     IssuerName: "C=ES; O=Engineering Association"
     SubjectName: "C=ES; L=Barcelona; PA=av. street, 123 3-1;
CN=Francisco Jordan"

It is possible to ascertain the kind of relationship between subject and
issuer, in my opinion, in a clearer way than being the subject
subordinated to the issuer. I am in the Spanish Engineering Association
as a civil person, as individual. I am not part of the staff.
In this way, as far as I distribute the certificate (and supposing a
ubiquitous X.500 Directory service), people can get information from
where to send me mail or phone me. If I do not want this kind of
publicity, then I should use an anonymous name.
In my X.500 directory entry, I store what I want. This means that I will
not certainly store my credit-card certificates, but many other
certificates I want to have public. Thus, people can always find my
certificates in the same place without the need of name aliasing or
other complicated schemes. BTW, my directory entry is the right place to
have my picture stored.


If we already have a way for expressing certification, why to burden
names with this task. If I am able to ascertain that CertA was issued to
a CA by a PCA without looking at names, then I can use such names at
convenience.
If we have such degree of freedom for naming while conserving
certification precisely, we can not request more. We have no problems
with certificate names any more.

Although I prefer to use X.500 DNs in certificate names and further use
attribute or extended certificates to convey many other attributes, for
those DNS fans, NOTE that with this scheme, certificate names can
particularly be DNS names as well.
In particular, I am intrigued for knowing about the impact that the
following certificates can wake up to purist:

CertA:
     IssuerName: "C=US; O=RSA ...; CN=Low Assurance Policy"
     SubjectName: "domainB.domainA"

CertB:
     IssuerName: "domainB.domainA"
     SubjectName: "name(_at_)domainB(_dot_)domainA"


Cheers!

Francisco Jordan
Group of Distributed Systems
UPC - Universitat Politecnica de Catalunya
Barcelona - Spain
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Naming and Certification, Francisco Jordan <=
Previous by Date:  please, add me to he list. thanks., Joerg Reichelt
Next by Date:  E-mail address mappings, Mk 2, Mr Rhys Weatherley
Previous by Thread:  please, add me to he list. thanks., Joerg Reichelt
Next by Thread:  E-mail address mappings, Mk 2, Mr Rhys Weatherley
Indexes:  [Date] [Thread] [Top] [All Lists]