pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: E-mail address mappings, Mk 2

1994-03-28 18:05:00
from [Peter Williams] [Permanent Link] 
   >From: Mr Rhys Weatherley <rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au>
   >Subject: E-mail address mappings, Mk 2
   >Date: Tue, 29 Mar 1994 08:53:52 +1000 (EST)

   >I'm scratching my head here and preparing to write a second draft of my 
   >e-mail address proposals.  Here's a summary of my latest ideas.
   

Cheers,

   >
   >Rhys.


IM HAPPY - FOR ONE, IF WE ADD ONE LITTLE THING.

Change the certificate processing procedures to eliminate the email RDN
from the Name, when formalizing the DistinguishedName of the subject
and issuer field.

I.E. PEM simply declares that for its registered OID, all PEM-UA
processing implementations will strip that e-mail attribute from the Name
as part of reconstructing the DER encoding of the certificate. what
PEM-UAs use the value for, in other circumstances, is their business,
and constitutes local processing.

this is wholly appropriate to the purposes and defn of "Name" versus
"DistinguishedName" - aid searching DITs by supplying extra keys.

How does one know which attributes to throw away? as I said, its
there in the processing defn which is required to be hard coded.

The spec of attributes to be elminiated is to be given in the IANA registery.

The consequence is that deployed PEMs must have the elimination rule encoded.

Serious PEMs I have seen reject certificates anyway which do not
conform to their (restricted) naming architecture. So their behaviour
would not actually be changed, should the extra distinguished attribute
be introduced. Another reasons to reject, thats all.

Other PEMs which do not compute DER would also suffer a little - their
not having heeded the requirement to do so from RFC 1422.

(note that email address is an IA5string, and thus has
CCITT terminal-oriented char set. Best to use something more
appropriate to Internet devices i.e. use attribute syntax of T.61 string)

Note that there is no reason why the attribute could not be associated (and
eliminated) with all levels in the DIT. Should an e-mail address be
associated with the prefix of the common Name, then one knows unauthoritatively
the mailbox of the jurisdicitional CA serving that naming context.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  E-mail address mappings, Mk 2, Mr Rhys Weatherley
Next by Date:  Re: DMS_GOSIP - FYI, Arnold Shore
Previous by Thread:  E-mail address mappings, Mk 2, Mr Rhys Weatherley
Next by Thread:  Re: E-mail address mappings, Mk 2, jueneman%wotan
Indexes:  [Date] [Thread] [Top] [All Lists]