pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: X.509 Certificate Extension Proposal

1994-09-19 10:46:00
from [Stephen Farrell] [Permanent Link] 

Hi Warwick,

Adding my own couple of options for extensions...

In a couple of different contexts I've come across requirements for
mapping different types of name to a DN/public key. Here's my list:

1) RFC-822 

        Covered in previous postings.

2) ORName 

        I guess this just needs an OID along with it to say what it is.
        There seem to be lots of cases in X.400 security (and I guess
        MSP also) where the ORName to DN mapping is not algorithmic.

3) EDIFACT Name
        
        This has been mentioned and would be something like a Printable
        String. (Maybe it has to be a pair - a (35 character) EDIFACT ID with
        an optional (4 character) QUALIFIER?)

4) Kerberos Name

        One we need for the SESAME project where we do some public key
        stuff mixed with Kerberos. This would require both Principal
        and Realm parts.

5) DNS name

        Pretty obvious that this is needed. I guess PEM covers the
        correct syntax?

6) DN

        Why not be able to map two DNs to one public key? Unlike in the
        other cases I haven't seen a specific requirement but I guess this
        could improve the security of aliasing within the DIT.

One other thing to note about these is that there will often be a
requirement for more than one of these to map to a single public Key,
(e.g. in SESAME we can map lots of kerberos principals to one public
key) so it may be better to make each of these be a SEQUENCE OF rather
than a one off.

I wouldn't see much difference in clumping all of these (and any other
widely recognised types of name) together into one big SEQUENCE with
each field OPTIONAL or having different Extension fields for each type
of name.

I guess none of these extensions would be criticial in general?

Regards,
Stephen.

==========================================================================
Stephen FARRELL.......................................tel: +353-1-676 9089
Software and Systems Engineering Ltd..................fax: +353-1-676 7984
Fitzwilliam Court............................email: 
stephen(_dot_)farrell(_at_)sse(_dot_)ie
Leeson Close.....X.400: /c=ie/a=eirmail400/p=sse/o=sse/s=farrell/g=stephen 
Dublin 2..................................................................
IRELAND................................................"A Siemens Company"
==========================================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Tragecomic directory problems., Jueneman
Next by Date:  Re: Directory service providers vs. distinguished names, Mr Rhys Weatherley
Previous by Thread:  Re: re:X.509 Certificate Extension Proposal, warwick (w.s.) ford
Next by Thread:  encoding of Certificate abstract syntax, Peter Williams
Indexes:  [Date] [Thread] [Top] [All Lists]