Bob Jueneman writes:
A couple of comments:
I certainly agree with the Internet e-mail address extension, after all of the
arguments over the last year of civil naming structure vs. every other possible
alternative. However, we should be sure that the character set and other
"trivial" details will support non-Internet networks, so that we don't
accidentally discriminate against someone's gateway, whether X.400, bitnet,
etc. Particularly in this day and age of NAFTA, we don't want to rule out
c-cadillas and n-tildes (at least until we see which way the elections go!)
If the (a) hack has to be used because of an awkward choice of character set,
then at a minimum a careful caution should be added to the text. But I will
leave such arcane details to the character set specialists.
I support the latter sentence. Certainly we do not want an (a) hack.
I have a few more misgivings about the intent of the printableSubjectID. First
of all, if the intent is to allow the user to specify his own name, etc., in a
"human readable, user friendly" fashion, then support for international
character sets are even more important than in the email address case.
Same comment as above.
But aside from the syntax, I'm not sure that I understand the semantics. I am
worried that the user might say one thing in the fairly precise distinguished
name field, and then say something rather different in the "user friendly"
field. Since the CA is supposed to certify these fields, we are supposed to
believe that they are "true", or at a minimum at least globally unambiguous.
But if these names are not qualified by the use of the CA's name, that may be
very difficult to assure.
The significant point is that the CA must consider the field acceptable. The
contents may originate from the user but, in the organization case at least,
they are more likely to originate from the organization.
In my first cut at this, I assumed it would be simply a printable string that
would be considered very helpful to signature verifiers and that the
organization (actually, the CA) would be comfortable endorsing. For example,
the string for Bob Jueneman (as a GTE person) might be:
"Robert R. Jueneman, Mgr., Secure Systems, Wireless and Secure Systems
Laboratory, GTE Laboratories"
This would be very helpful to many (if not most) signature verifiers.
Depending
upon your X.500 name structure, it would likely be more useful than your DN
(e.g., might convey more useful information, such as your position).
Furthermore, it would be a very easy thing to implement.
A comment from Mark Wahl led to the thought that maybe this piece of
information
should be more structured, so that the signature-verifying application could
control what parts of the information are presented to its user. A likely
construct would be a collection of X.500 attributes about the subject. Such
attributes might include, for example, organization, org units, role, telephone
number, and even photo. This approach sounds fine, especially for
organizations
that actually have X.500 systems out the back. The same basic criteria apply -
this information is information that the CA is prepared to endorse, and is
prepared to make known to potential signature verifiers.
Both of the above variants of the basic concept seem useful to me, and have
their respective merits. I would welcome other views.
Could you take a stab at a semantic definition, and offer several diverse but
concrete examples?
I hope the comments contribute adequately to this request.
Warwick Ford