Cc: Richard Ankney
Robert R. Jueneman wrote:
While I'm on this subject, Richard Ankney made two observations:
1. X9.30 originally used the UID to distinguish between multiple
certificates for a user, but the UID is used by the 1993 X.500 ACL
mechanism so it has to identify a user, not his certs. We
regretfully removed this idea from X9.30.
I'm not sure that I understand this, perhaps because I haven't looked
at strong authentication all that seriously yet. Since you are running
a DSA with strong authentication, could you comment?
I do not know which is exactly Richard Ankney current position, but his
comment was not completely exact.
In a X.509 (93) certificate, it is the <issuerDN+issuerUniqueId+SN> what
distinguishes between multiple certificates for a user. And it is the
<subjectDN+subjectUniqueId> what distinguishes reassigned instances of a
user and what is used by X.500 (93) ACL mechanism.
So, I don't think he has to remove this idea from ANSI X9.30, but only
change user UID by issuer UID.
If one user (DN) has multiple certificates for different purposes, how
are we supposed to tell the difference? One obvious way is to create
another entry under the user's common name node, but now I've lost
the sense of a single user??
Certainly, by the issuer DN. A certificate has never been identified by
means of the subject DN. You identify a X.509 (88) certificate by means
of the "issuerDN+SN" and now, if you use X.509 (93), you uniquely
identify a certificate with "issuerDN+issuerUniqueId+SN".
There is certainly a good chance of taking profit of issuerUniqueId
to locate a particular certificate in a user Directory entry, i.e.
given the user DN and the issuerUniqueId you can select a particular
certificate. Obviously, this should be done by automated means, as
UIDs might normally be human meaningless bit strings.
Francisco Jordan
Group of Distributed Systems
UPC - Universitat Politecnica de Catalunya
Barcelona - Spain