Shyh-Wei:

You can always achieve the effect of a unique identifier by adding an
attribute value assertion into the distinguished name for that purpose.
For example, if Common Name is not assigned so as to be inherently unique,
you can add another attribute that carries Employee Number or Customer
Number, which is arranged to be unique.

This is generally considered much better than using the subjectUniqueId
field since (a) the latter is not transmitted in many protocols; (b) most
products do not implement it and are likely to ignore it; and (c) there is
generally no provision to display it in UIs.

Warwick

At 12:55 PM 5/23/97 -0700, Shyh-Wei Luan wrote:
>I have some concerns with how people are using X.509 certificates and a
>recommendation of dependending on non-reusable names.
>
>X.509 certificate has the following two fields that are used to
>define a subject's identity, where the "subject" is the entity being
>authenticated.
>
> subject
> subjectUniqueID
>
>The "subject" field identifies the entity with a general name, where
>the subjectUniqueID field is used to handle the possibility of reuse of
>subject's general name. It is currently suggested in
>draft-ietf-pkix-ipki-part1-04.txt, "Internet Public Key Infrastructure, Part
>I: X.509 Certificate and CRL Profile," that the subject name should not be
>reused, and the subjectUniqueID should be left unused.
>
>Here are two paragraphs excerpted from the draft:
>
>"The subject name identifies the entity associated with the public key
>stored in the subject public key field. The subject identity may be carried
>in the subject field and/or the subjectAltName extension. If identity
>information is present only in the subjectAltName extension (e.g., a key
bound
>only to an email address or URI), then the subject name may be an empty
>sequence and the subjectAltName extension must be critical."
>
>"The subject and issuer unique identifier are present in the certificate
>to handle the possibility of reuse of subject and/or issuer names over time.
>This profile recommends that names not be reused and that Internet
certificates
>not make use of unique identifiers. CAs conforming to this prefile should
not
>generate certificated with unique identifiers. Applications conforming to
>this profile should be capable of parsing unique identifiers and making
>comparisons."
>
>I believe that following the above recommendation (of not using unique
>identifiers) will cause significant problems in the future when the PKI takes
>a life of its own. I think that many CA's (Certification Authorities)
>will have long lifetimes. For example, enterprises, government offices,
>international organizations, and even internet service providers will likely
>to become CA's and they will certify a lot of entities. At some point in
time,
>we will see most meaningful and easy to understand/remember names used up.
>(We have already seen this phenomena in popular places on the Internet where
>everyone likes to subscribe to, such as on-line newspaper web sites.) CA
>operators will bear the responsibility to enforce that names are not reused.
>The consequences of breaking the non-reuse policy may be unacceptable.
>
>Why?
>
>Applications (commerce or anything else) will use the subject identity
>to make authorization decisions. If the PKI becomes as successful as today's
>web, there will be millions of Access Control Lists soon. These names
will be
>the basis of the protection against unauthorized accesses of all kinds. Many
>of these ACL's will be longliving, and it will be hard to change them all in
>response to the reuse of a subject name.
>
>Since names cannot be reused, new names will become more and more
unnatural and
>hard to comprehend and memorize, and different people will have different
>ways in addressing the uniqueness.
>
>I believe it is natural and should be encouraged, if not required, to always
>associate the subject name with a unique identifier. All the internet
>businesses should be required to use both the subject name and the unique
>identifier as the basis of all authorization decisions. Without this
>requirement, privacy and protection of subject's internet resources,
financial
>assets, etc, can be all at risk. It could become more serious than
>the "Year 2000" problem.
>
>Comments?
>
>Shyh-Wei Luan
>
>
---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
***@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Shyh-Wei Luan,

The reasons you cite are ones that motivated the introduction of the
Subject and Issuer Unique IDs. However, one can argue that appropriate
care in managing names can largely avoid this problem. For example, every
company I know assigns an employee ID (or payroll ID, or whatever)
specifically to distinguish among folks who are work for the company
(either at the same time or over some time interval) and who may have the
same name. If one uses a DN in the Subject field, it would be appropriate
to make the terminal RDN be a set, consisting of a common name and an
employee ID number, to do the same thing that the personnel/payroll
departments figured out years ago. So, for organizational persons, this
argues against using the Subject UID field. For many other contexts,
account numbers are likley to be employed as Subject IDs, and the
organizations dealing with the certs already know how to manage account
number rollover (and often will not be using ACLs as one might in a
distributed system).

Steve

> -----Original Message-----
> From: Shyh-Wei Luan [SMTP:***@almaden.ibm.com]
> Sent: Saturday, 24 May 1997 8:07
> To: Warwick Ford; ***@almaden.ibm.com; ietf-***@tandem.com;
> ssl-***@netscape.com
> Subject: Re: X.509 certificate and its subject name field
>
>
> On May 23, 5:17pm, Warwick Ford wrote:
> > Subject: Re: X.509 certificate and its subject name field
> > Shyh-Wei:
> >
> > You can always achieve the effect of a unique identifier by adding
> an
> > attribute value assertion into the distinguished name for that
> purpose.
> > For example, if Common Name is not assigned so as to be inherently
> unique,
> > you can add another attribute that carries Employee Number or
> Customer
> > Number, which is arranged to be unique.
>
> IMO, subject names should be simple, short, easy to
> comprehend/remember/cite.
> Adding attribute value assertion into names will make all these
> difficult.
> My idea is that we should separate human readable part and the human
> unfriendly
> part for easier management, browsing, search, etc. A separate unique
> identifier field is a good idea and we should use it. Otherwise, we
> will be
> tied to the evil/ugliness of "unique names" forever. Names are never
> unique
> and they will never be. When it is unique, it is no longer a name,
> but some
> kind of monster.
>
> [Charles Moore] I would support staying with the Unique DN.
> But there is a more general issue here, as an example, my name is
> Charles Moore what attributes I need to put in
> a DN to get uniqueness does not change my name only qualifies it.
>
> I have no reason to want to see my DN or OR address, applications look
> after this for me.
> When replying to this message I am replying to "Shyh-Wei Luan" not
> your Internet address the mail app sorts this out for me.
>
> [Charles Moore] In summary, I agree your name should be your name and
> I would suggest that you qualify it
> using the standard DN attributes to achieve uniqueness ( and I don't
> believe we will run out of unique space here).
>
>
>

Forgive my ignorance, but doesn't a significant portion of the capability in
these discussions rely on a hierarchical and structured naming
convention/capability? Is this being designed into ediParty or DNS naming?


Sandi
----------
From: chandras
To: Charles Moore; Shyh-Wei Luan; Warwick Ford; ietf-pkix; ssl-talk
Subject: Re: X.509 certificate and its subject name field
Date: Friday, May 23, 1997 4:25PM

Charles,
> >

> > [Charles Moore] In summary, I agree your name should be your name and
> > I would suggest that you qualify it
> > using the standard DN attributes to achieve uniqueness ( and I don't
> > believe we will run out of unique space here).

Different CA may use different ways/attributes to achieve
uniqueness and it is embedded in the Subject Name. It is confusing to both
human and applications to carve out what they care/understand/use. Using
a separate field would make it more organized and easier for human and
applications in the long term.

I'll have to shut down my machines now for a weekend site shutdown. I'll
contine the discussions with you guys next Wed.

Have a nice Memorial Day weekend,

Shyh-Wei

Please forgive my ignorance, but are applications required to use both the
subject name and issuer name to establish identity for authorization purposes?

If not, then I would think it vital to use something like a UUID in the
unique id field. A single CA could certainly refrain from issuing
certificates with the same subject name, but subject names will surely get
duplicated across distinct CAs and most users will trust multiple CAs.

Hal
=================================================================
Harold W. Lockhart Jr. PLATINUM technology, Inc.
Chief Technical Architect 8 New England Executive Park
Email: ***@platsol.com Burlington, MA 01803 USA
Voice: (617)273-6406 Fax: (617)229-2969
=================================================================

At 05:17 PM 5/23/97 -0700, Warwick Ford wrote:
>Shyh-Wei:
>
>You can always achieve the effect of a unique identifier by adding an
>attribute value assertion into the distinguished name for that purpose.
>For example, if Common Name is not assigned so as to be inherently unique,
>you can add another attribute that carries Employee Number or Customer
>Number, which is arranged to be unique.
>
>This is generally considered much better than using the subjectUniqueId
>field since (a) the latter is not transmitted in many protocols; (b) most
>products do not implement it and are likely to ignore it; and (c) there is
>generally no provision to display it in UIs.
>
>Warwick
>
>At 12:55 PM 5/23/97 -0700, Shyh-Wei Luan wrote:
>>I have some concerns with how people are using X.509 certificates and a
>>recommendation of dependending on non-reusable names.
>>
>>X.509 certificate has the following two fields that are used to
>>define a subject's identity, where the "subject" is the entity being
>>authenticated.
>>
>> subject
>> subjectUniqueID
>>
>>The "subject" field identifies the entity with a general name, where
>>the subjectUniqueID field is used to handle the possibility of reuse of
>>subject's general name. It is currently suggested in
>>draft-ietf-pkix-ipki-part1-04.txt, "Internet Public Key Infrastructure, Part
>>I: X.509 Certificate and CRL Profile," that the subject name should not be
>>reused, and the subjectUniqueID should be left unused.
>>
>>Here are two paragraphs excerpted from the draft:
>>
>>"The subject name identifies the entity associated with the public key
>>stored in the subject public key field. The subject identity may be carried
>>in the subject field and/or the subjectAltName extension. If identity
>>information is present only in the subjectAltName extension (e.g., a key
>bound
>>only to an email address or URI), then the subject name may be an empty
>>sequence and the subjectAltName extension must be critical."
>>
>>"The subject and issuer unique identifier are present in the certificate
>>to handle the possibility of reuse of subject and/or issuer names over time.
>>This profile recommends that names not be reused and that Internet
>certificates
>>not make use of unique identifiers. CAs conforming to this prefile should
>not
>>generate certificated with unique identifiers. Applications conforming to
>>this profile should be capable of parsing unique identifiers and making
>>comparisons."
>>
>>I believe that following the above recommendation (of not using unique
>>identifiers) will cause significant problems in the future when the PKI takes
>>a life of its own. I think that many CA's (Certification Authorities)
>>will have long lifetimes. For example, enterprises, government offices,
>>international organizations, and even internet service providers will likely
>>to become CA's and they will certify a lot of entities. At some point in
>time,
>>we will see most meaningful and easy to understand/remember names used up.
>>(We have already seen this phenomena in popular places on the Internet where
>>everyone likes to subscribe to, such as on-line newspaper web sites.) CA
>>operators will bear the responsibility to enforce that names are not reused.
>>The consequences of breaking the non-reuse policy may be unacceptable.
>>
>>Why?
>>
>>Applications (commerce or anything else) will use the subject identity
>>to make authorization decisions. If the PKI becomes as successful as today's
>>web, there will be millions of Access Control Lists soon. These names
>will be
>>the basis of the protection against unauthorized accesses of all kinds. Many
>>of these ACL's will be longliving, and it will be hard to change them all in
>>response to the reuse of a subject name.
>>
>>Since names cannot be reused, new names will become more and more
>unnatural and
>>hard to comprehend and memorize, and different people will have different
>>ways in addressing the uniqueness.
>>
>>I believe it is natural and should be encouraged, if not required, to always
>>associate the subject name with a unique identifier. All the internet
>>businesses should be required to use both the subject name and the unique
>>identifier as the basis of all authorization decisions. Without this
>>requirement, privacy and protection of subject's internet resources,
>financial
>>assets, etc, can be all at risk. It could become more serious than
>>the "Year 2000" problem.
>>
>>Comments?
>>
>>Shyh-Wei Luan
>>
>>
>---------------------------------------------------------------------
>Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
> ***@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
>---------------------------------------------------------------------
>
>
>
=================================================================
Harold W. Lockhart Jr. PLATINUM technology, Inc.
Chief Technical Architect 8 New England Executive Park
Email: ***@platsol.com Burlington, MA 01803 USA
Voice: (617)273-6406 Fax: (617)229-2969
=================================================================

In reply to your message of 27 May 97, 19:08:

One solution is to use a national ID scheme. In the UK all employed
people are given a National Insurance number which is unqiue to them
and doesn't change over their lifetime. There may
be however some privacy questions with such a scheme

Nick Pope

> Steve,
>
> Let's think what happens during a corporate reorganization, company
> mergers, or country unifications (:)). Names and directories may
> change! If UID's are embedded in names and if applications do not
> carve out the UID's for use in authorization decisions/ACL's, then we
> will have a BIG trouble! If it is suggested that applications will
> have to pick up the UID from within the subject name, then it should
> be made clear in the spec. But, then how would non-X500 names be
> dealt with when they are supported??? Why don't we suggest the use of
> the Subject UID field, then sit back and relax.
>
> On May 27, 1:46pm, Stephen Kent wrote:
> > Subject: Re: X.509 certificate and its subject name field
> > Shyh-Wei,
> >
> > I think that, for organizational persons, a second component for
> > the terminal RDN would usually be something that those managing the local
> > namespace would see as natural, i.e., it is something like an employee ID
> > number that has already been assigned and thus is not an arbitrary string
> > like the Subject UID.
>
> Why can't an employee ID number be used as ths Subject UID, if the ID
> is never reused?
>
> >
> >-- End of excerpt from Stephen Kent
>
>
>
>

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517

Kent,

> Shyh-Wei,

> Is the Subject UID globally unique? I don't recall the spec
> providing an algorithm for ensuring such uniqueness across all CAs.

I don't think the Subject UID needs to be globally unique. It needs
to be unique within each CA. It is the issuing CA (or chain/path of
CA's) that makes the context for the uniqueness.

> My
> recollection was that the SUID was intended to be used in conjunction with
> the Subject DN to increase the likelihood that the combination of the two
> would be unique, but it still would not be a guarantee.

I think unique Subject DN's is impossible to enforce unless it includes
something like a unique Subject ID. My arguement has been that we should
use separate fields.

> That's why there
> also is an Issuer UID, suggesting the need to check both the Issuer and
> Subject DNs and UIDs all the way along a chain to ensure uniqueness in the
> context of DNs that are not temporially unique. That makes for some very
> ugly ACL entries!

People will need to specify what CA's or chains of CA's they trust anyway.
Having a unique DN does not necessarily help to make it simpler.

Here are some examples of ACL entries:

Entry 1 (with only one CA):
Target Subject: Company X, UID 345878293, CA Subject: US Dept. of Commerce

Entry 2 (with a chain of two CA's):
Target Subject: Shyh-Wei Luan, UID B23910910, CA Subject: California DMV
Target Subject: California DMV,UID 123, CA Subject: Texas DMV

Subject names are only for human reference, and ACL enforcement is based
on UID's.

> As for corporate mergers, those would change the Issuer DNs at some
> point, at least for a company that was absorbed, and thus all the user
> certs would need to be reissued and ACLs updated. If the companies merge
> to form a newly named entity, then everyone gets a new cert, and all the
> ACLs need to be fixed, as none of the old entriesd will match any of the
> new names.

Recertifying with new names is fine since CA's are more centralized.
Having to fix all ACL's may not be acceptable at all because they may be
all over the places! This is why I think ACL's should be based on Subject
UID's, which do not need to change when names change.

Shyh-Wei

> From: "Shyh-Wei Luan" <***@almaden.ibm.com>
>
> Let's think what happens during a corporate reorganization, company mergers,
> or country unifications (:)). Names and directories may change! If UID's
> are embedded in names and if applications do not carve out the UID's for use in
> authorization decisions/ACL's, then we will have a BIG trouble! If it is
> suggested that applications will have to pick up the UID from within the
> subject
> name, then it should be made clear in the spec.

If the value of a SubjectUID field can be chosen to satisfy uniqueness
requirements, then that identical value can be used as (for example)
the SerialNumber attribute-type-and-value of the terminal RDN. There
is no requirement to use an employee number, that was just suggested as
an example. Thus reorganizations/mergers/etc have no effect on the
choice between putting the UID into the Subject Name or the SubjectUID
field.

I'm not sure what needs to be clearer in the spec - applications will
use the subject name. The subject name will be unique (if the PKI
administrators choose to make it so). Perhaps you are suggesting
User Interface guidelines to supress the display of particular name
components? I don't believe UI guidelines are the province of PKIX,
but it's possible that some appropriate wording could be found.


> But, then how would non-X500
> names be dealt with when they are supported??? Why don't we suggest the
> use of the Subject UID field, then sit back and relax.

I don't know anything about EDI names, but DNS names must be unique,
otherwise the Internet wouldn't work! Your point about making such names
either long or cryptic to get uniqueness is valid, but that is DNS and
RFC-822's problem, not PKIX's.

I think that EDI names (or any other SubjectAltName forms) would have to
have the same intrinsic uniqueness requirements as a result of their
respective problem domains, and that PKIX would not add any additional
requirements for a separate UID field.


In short, I agree that putting any necessary uniqueness information
into the Subject name field is the correct approach (and that the
SubjectUID and IssuerUID fields should have been valid only when
version == v2, not when version >= v3 :-).

> From: "Shyh-Wei Luan" <***@almaden.ibm.com>
>
> Let's think what happens during a corporate reorganization, company mergers,
> or country unifications (:)). Names and directories may change! If UID's
> are embedded in names and if applications do not carve out the UID's for use in
> authorization decisions/ACL's, then we will have a BIG trouble! If it is
> suggested that applications will have to pick up the UID from within the
> subject
> name, then it should be made clear in the spec.

If the value of a SubjectUID field can be chosen to satisfy uniqueness
requirements, then that identical value can be used as (for example)
the SerialNumber attribute-type-and-value of the terminal RDN. There
is no requirement to use an employee number, that was just suggested as
an example. Thus reorganizations/mergers/etc have no effect on the
choice between putting the UID into the Subject Name or the SubjectUID
field.

I'm not sure what needs to be clearer in the spec - applications will
use the subject name. The subject name will be unique (if the PKI
administrators choose to make it so). Perhaps you are suggesting
User Interface guidelines to supress the display of particular name
components? I don't believe UI guidelines are the province of PKIX,
but it's possible that some appropriate wording could be found.


> But, then how would non-X500
> names be dealt with when they are supported??? Why don't we suggest the
> use of the Subject UID field, then sit back and relax.

I don't know anything about EDI names, but DNS names must be unique,
otherwise the Internet wouldn't work! Your point about making such names
either long or cryptic to get uniqueness is valid, but that is DNS and
RFC-822's problem, not PKIX's.

I think that EDI names (or any other SubjectAltName forms) would have to
have the same intrinsic uniqueness requirements as a result of their
respective problem domains, and that PKIX would not add any additional
requirements for a separate UID field.


In short, I agree that putting any necessary uniqueness information
into the Subject name field is the correct approach.

(If X.509 had left the comments on issuerUniqueIdentifier and
subjectUniqueIdentifier alone, as "-- if present, version must be v2"
instead of amending them to "v2 or v3", none of this discussion would
be necessary :-).

Steve,

I think I should give a brief summay in the hope to make some of my
observations/points more clear.

(1) I have always agreed that one can add a UID component to a DN and make it
unique.
(2) I think using the Subject UID field that makes an identity unique WITHIN
the issuing CA is better because it would be more EXPLICIT and INTUITIVE
(which I think are important properties to achieve sound security), and
it is not tied to the X.500 naming scheme.
(3) I think users should be allowed to make ACL entries based on name
patterns/attributes or SUID's. (I used to think it should always be based
on SUID's.) One should know which specific field to count on for the
uniqueness.
(4) When authorization is based solely on the Subject UID, the whole name (DN)
can still be included on ACL entries for the ease of browsing and
management.
(5) The spec should warn the users that unique names should be *unique over the
time* and explain the potential serious consequences otherwise.
(6) I am not sure if I'd challenge the current requirement to use a DN in the
Subject Name field of the X.509 certificate. Sure, it is in X.500 family
and, for the potential benefit of the directory system, it is naturally so. But I think the world is more networked/ webbed than hierarchical. I am
not sure if it is a good idea to require every name to be in the X.500
hierarchy.

Shyh-Wei
---------

On May 28, 4:02pm, Stephen Kent wrote:
> Subject: Re: X.509 certificate and its subject name field

> A driver's license number would be a fine DN component for a state
> issuing the cert equivalent of licenses; it need not be put in the Sub UID
> field. Look at the SET spec and note how they handled this issue based on
> credit card numbers.


> Still, the issue is that an arbitrary Subject UID value makes for a
> terrible ACL entry, by itself. It creates a tremendous opportunity for
> management errors, as one cannot look at the ACL entry to figure out who is
> authorized to do what. Instead, one must go through a (trusted) mapping
> form Subject UID to Subject name. That is the point several of us have
> been making.
>
> Steve
>
>
>
>-- End of excerpt from Stephen Kent



> From: Stephen Kent <***@bbn.com>
> Subject: Re: X.509 certificate and its subject name field
> Cc: ietf-***@tandem.com, ssl-***@netscape.com

> Shyh-Wei Luan,

> A driver's license number would be a fine DN component for a state
> issuing the cert equivalent of licenses; it need not be put in the Sub UID
> field. Look at the SET spec and note how they handled this issue based on
> credit card numbers.

> Still, the issue is that an arbitrary Subject UID value makes for a
> terrible ACL entry, by itself. It creates a tremendous opportunity for
> management errors, as one cannot look at the ACL entry to figure out who is
> authorized to do what. Instead, one must go through a (trusted) mapping
> form Subject UID to Subject name. That is the point several of us have
> been making.

> Steve

> Marc:
>
> Why do you claim that a subject name is not persistent? The whole intent
> of the X.500 and X.509 models is that these names be persistent, to the
> extent that the object that they identify is persistent. Why do we need
> yet another field?
>
> Warwick


This comment goes right to the core of the issue. CAs earn their fees
by managing a namespace - binding attributes to identities (names) is
their raison d'etre. Suggesting that the PKI (a set of interworking
CAs) be responsible for managing two separate but correlated namespaces
is both unnecessary and confusing.


1) Peter suggested that using a fingerprint (hash of the entire certificate)
has been accepted in practice to date. However, that is contradictory to
the desire for persistent IDs for use in ACLs. Not only would the
fingerprint change when the DN changed (a relatively rare occurrence), but
also whenever any other field of the certificate changed (which is
guaranteed to occur at least as often as the normal refresh period).


2) Marc Branchaud wrote:
> Let me suggest an entirely new field, the PID (for Persistent ID). The CA
> assigns a locally-unique PID to each of its subjects, and these PIDs will
> never change as long as that subject is registered to that CA. The PID
> can be included in certificates to give ACL maintainters something to use
> in their lists.

Since the PIDs are to be locally unique, the ACL maintainers are expected
to use the entire path of PIDs back to the trusted node as the ACL name?
The PID hierarchy (or mesh) must be rigidly conformant to the CA
topology? As I remember, this was one of the cited disadvantages of
the PEM naming scheme, and removing this inflexibility was the primary
impetus for developing x.509v3.

Also, if an organization changes CAs, every PID-based ACL entry becomes
invalidated. I would expect changes in the supplier of CA services to
be a far more likely occurence than DN changes required as a result of
mergers/acquisitions.


3) Shyh-Wei wrote:
> I think I should give a brief summay in the hope to make some of my
> observations/points more clear.
>
> (1) I have always agreed that one can add a UID component to a DN and make it
> unique.
> (2) I think using the Subject UID field that makes an identity unique WITHIN
> the issuing CA is better because it would be more EXPLICIT and INTUITIVE
> (which I think are important properties to achieve sound security), and
> it is not tied to the X.500 naming scheme.

See comments above on locally-unique IDs. I don't see how it is more
explicit and intuitive to tightly link the SUID namespace to the CA path
topology, requiring SUID-based names to have as many elements as there are
nodes in the certification path.

> (3) I think users should be allowed to make ACL entries based on name
> patterns/attributes or SUID's. (I used to think it should always be based
> on SUID's.) One should know which specific field to count on for the
> uniqueness.

This is simpler than just using names (which may include a UID attribute
if necessary to provide local uniqueness)???


> (4) When authorization is based solely on the Subject UID, the whole name (DN)
> can still be included on ACL entries for the ease of browsing and
> management.

I don't understand this comment.

If under your hypothetical example the SUID remains constant when the
DN changes as a result of some organizational restructuring, the claimed
advantage of SUIDs was that ACLs would not need to be updated. If the
DN is included in ACL entries, won't the ACL need to be updated when the
DN changes, even if the SUID doesn't change?

I even question the basic premise that it is desirable to allow ACLs
to remain valid in the face of organizational changes. If I change
jobs within the organization (say from engineering to marketing :-),
it's likely that any ACLs I have would have to be updated to reflect
new duties and responsibilities. If the whole organization
changes it's name but not its structure (say, from Esso to Exxon),
it seems like a fairly trivial mechanical process to change every
occurrence of "Esso" within every ACL entry to "Exxon".


> (6) I am not sure if I'd challenge the current requirement to use a DN in the
> Subject Name field of the X.509 certificate. Sure, it is in X.500 family
> and, for the potential benefit of the directory system, it is naturally so. But I think the world is more networked/ webbed than hierarchical. I am
> not sure if it is a good idea to require every name to be in the X.500
> hierarchy.

Where is this required? If X.509 certificates are to be used within
(or compatible with) the Directory, DNs are naturally hierarchical
directory names. I think "the world" has resorted to hierarchical
organization of names because it's the most scalable way of making
information searchable, accessible, and maintainable, not because of
any belief that people actually exist in real-world hierarchies.

But if you have some other requirement in mind, X.509 allows names to
be of any form you wish - DNs are just an arbitrary set of tagged
values. If you want a flat namespace, the DN can just be a single RDN
with one (or more) AT&Vs.

-----BEGIN PGP SIGNED MESSAGE-----


On Thu, 29 May 1997, Warwick Ford wrote:
>
> Marc:
>
> Why do you claim that a subject name is not persistent? The whole intent
> of the X.500 and X.509 models is that these names be persistent, to the
> extent that the object that they identify is persistent. Why do we need
> yet another field?
>
> Warwick
>

I'll be the first to admit that my knowledge of X.500 is marginal at best.
I based my conclusion on the points raised in this thread by Shyh-Wei Luan
and my own tenuous understandings...

Let me quote the message from Shyh-Wei Luab that I think defined the
problem:

On Tue, 23 May 1997, Shyh-Wei Luan wrote:
>
> Let's think what happens during a corporate reorganization, company
> mergers, or country unifications (:)). Names and directories may change!
> If UID's are embedded in names and if applications do not carve out the
> UID's for use in authorization decisions/ACL's, then we will have a BIG
> trouble! If it is suggested that applications will have to pick up the
> UID from within the subject name, then it should be made clear in the
> spec. But, then how would non-X500 names be dealt with when they are
> supported??? Why don't we suggest the use of the Subject UID field, then
> sit back and relax.

This implies that names may not be as persistent as the objects they
identify. Including persistent information, such as an employee number,
in the DN helps. The ACLs can be written using only that information.

But it becomes problematic on a larger scale: an ACL that relies on
different CAs would have to understand how each CA encodes the persistent
information into their DNs. Having a standard place to find that info is
the solution that's being discussed. Shyh-Wei Luan suggested using the
UID fields, which many people don't like. So I suggested a whole new
field, hoping that this would isolate the issue from the baggage
associated with the UID fields.

Without this kind of field, I can see a de facto DN attribute evolving to
contain persistent information. I have the impression that DN attributes
are somewhat arbitrarily chosen by the directory administrators. That is,
it's difficult to mandate a required field. Yet this persistent info
basically must always be present, so perhaps it would be better to add an
extra field to the certs. Perhaps a standard (critical?) extension would
suffice.

I just don't know enough about X.500 and DNs to state these things
definitively. The main question, for me, is how dynamic are DNs?

Marc

- ---------------------------------------------------------------
Marc Branchaud, Chief PKI Designer

Xcert Software Inc.
1001-701 West Georgia Street
P.O. Box 10145, Pacific Centre tel: 1-604-640-6210
Vancouver, B.C., Canada V7Y 1C6 fax: 1-604-640-6220
http://www.xcert.com email: ***@xcert.com
Internet Security Technologies
Press coverage - http://www.xcert.com/corp/clippings/index.html
- ---------------------------------------------------------------

>(A) Peter says that it is common practice in https servers to use
>a hash of the (entire) certificate as a key for mapping to a user,
>but I'm not sure which ones he's referring to.

A variant of this is to use the hash of the public key fields. This is
(virtually) guaranteed unique for each key, can be easily reconstructed from
either the public or private key, and won't change during cert renewals and
whatnot. I know of several (not publicly deployed) systems which are using
this, I don't know why it isn't more common because it solves many of the
problems which arise from the use of DN's.

Peter.

At Glaxo Wellcome we have given some thought about setting up the
enterprise directory (X.500/LDAP) and establishing an internal CA. I'm
not an x.500 expert, so pardon me if I am not precise at using the X.500
jargon.

We are a fairly large, international pharmaceutical company. We have
about 35,000 entries in our curent e-mail directory world-wide. For our
prototype directory (using an X.500 product), the Distinguished name is
a double-valued field. The two values are the subject name and a user
ID. We use this design because peoples names are not going to be unique
when you have 35,000 people in a directory. Hence, we have to generate
a unique ID. Without the unique ID, names would have to be mangled to
ensure uniqueness (as is done with cc:Mail.) I prefer to use Jim as a
first name, but without the unique ID, my entry would probably end up as
"James Wade Allen" which might not identify me to anyone.

It is fortunate that the X.500 directory supports multi-valued fields.
As pointed out earlier in the discussion, you can search on either
value. My directory entry will be found if you search on "Jim Allen" or
"JWA39430" (my user ID). If X.500 did not support mulitiple values,
then we would certainly be forced to use the user ID for uniqueness and
carry the person's name as an attribute. In any event, I can't see how
carrying the user ID in another field (such as Subject ID) simplifies
the situation or makes it more intuitive. In X.500, the DN is the key
to the database.

We don't have a prototype for a certificate authority yet, so I am
speculating about what will happen. Our vision is that we will have one
certificate authority for Glaxo Wellcome worldwide. The reason for only
one is that we have applications which run worldwide and people need to
have one user ID which works worldwide. Hence, the issuing authority
will simple be Glaxo Wellcome, not Glaxo Wellcome US or Glaxo Wellcome
UK.

ACLs will not change (initially). When I get a certificate and begin
using it for authentication, applications can key on my user ID as they
currently do. The only thing which as changed is that I authenticate
using Public Key technology rather than an user ID. Note that the
person's name may change and the certificate may expire and a new one is
issued, but the ACL entries doesn't change.

When people external to Glaxo Wellcome use our computer systems, we
issue them a Glaxo Wellcome user ID. With certificate-based
authentication, we probably wouldn't issue them a user ID. I suspect we
would verify that their CA does a rigorous job of issuing certifcates
and then accept as valid any certificate from that organization. When
that begins to happen, ACLs would need user ID and the issuing CA name
to guarrantee uniqueness.

I don't think PKI changes Identification and Authorization in a
fundamental way. An organization still has to develop a discipline for
naming people (and servers, etc.) in an organization to ensure
uniqueness. What is changing is that our internal networks are becoming
more open and accessible by people outside our organization. Hence the
traditional user ID is only unique in the context of a company name.
Perhaps we should use glaxowellcome.com as the name of our CA to really
ensure uniqueness.

There is going to be some directory for the Internet. It will probably
be a mesh of LDAP directory servers. What will be the key for the
'database'? The only answer that I can come up with is that it will be
the e-mail name. It is unique and were currently using it.

I hope these comments illuminate the discussion. Part of the problem of
following the discussion is understanding the environment that the
speaker is thinking about.

At 09:19 AM 5/30/97 -0400, dave horvath wrote:
>We have found the global uniqueness of a "Certificate"
>may be defined by the Subject DN, Issuer DN, Algorithm ID
>and validity period. Keep in mind that global uniqueness
>of a "certificate" is different that global uniqueness of a subject's
>identity. The reason I feel all of these fields are required to
>uniquely identify a "certificate" is that CAs may issue, for example,
>an RSA and DSA certificate for the same user.

I thought the specs were very clear that the combination of issuer name and
serial number were *required* to be unique. Otherwise CRLs don't work.

However, this discussion is really about the semantics of the subject.

By the way, <draft-ietf-pkix-ipki-part1-04.txt> defines subject name and
issuer name to be sequences of RDNs. Naturally they *can* be DNs, but I see
nothing in the spec that says they *must* be DNs or that subject name must
be unique per issuer. Have I overlooked something in the document?

Several people appear to be assuming that *all* subject names are DNs.
Others seem to believe that all CAs that a given environment will accept
certificates from will have a common root CA. Still others seem to assume
certificates will be tied a deployed directory service, not merely use X.500
style naming. I see nothing in the document or the way certificates are
used today to support any of them. The directory assumption is explicitly
denyed in section 2.1.

Regards,

Hal
=================================================================
Harold W. Lockhart Jr. PLATINUM technology, Inc.
Chief Technical Architect 8 New England Executive Park
Email: ***@platsol.com Burlington, MA 01803 USA
Voice: (617)273-6406 Fax: (617)229-2969
=================================================================

Some more responses to David Kemp's comments on my summaries:

On May 30, 4:47pm, Marc Branchaud wrote:
....

> On Thu, 29 May 1997, David P. Kemp wrote:

> > > (2) I think using the Subject UID field that makes an identity unique
WITHIN
> > > the issuing CA is better because it would be more EXPLICIT and
INTUITIVE
> > > (which I think are important properties to achieve sound security),
and
> > > it is not tied to the X.500 naming scheme.
> >
> > See comments above on locally-unique IDs. I don't see how it is more
> > explicit and intuitive to tightly link the SUID namespace to the CA path
> > topology, requiring SUID-based names to have as many elements as there are
> > nodes in the certification path.

It was suggested to use a UID embedded in a DN as an attribute to address the
need of temporal uniqueness. I think it would be more explicit and intuitive
to use a field such as the Subject UID field for this purpose. BTW, I am not
inventing a new name space here, what I want is the ability to bind ACL entries
that are identity based to *persistent* ID's. An ID can very well be annotated
with the associated name, but the authorization decisions will be based on the
ID.

> > > (3) I think users should be allowed to make ACL entries based on name
> > > patterns/attributes or SUID's. (I used to think it should always be
based
> > > on SUID's.) One should know which specific field to count on for the
> > > uniqueness.
> >
> > This is simpler than just using names (which may include a UID attribute
> > if necessary to provide local uniqueness)???

Without laying out an ACL management design and the goals that we want to
achieve, it is impossible to say what is simpler. What I have been trying
to point out is that using DN's as ACL entries will have problems in many
situations.

> > > (4) When authorization is based solely on the Subject UID, the whole name
(DN)
> > > can still be included on ACL entries for the ease of browsing and
> > > management.
> >
> > I don't understand this comment.
> >
> > If under your hypothetical example the SUID remains constant when the
> > DN changes as a result of some organizational restructuring, the claimed
> > advantage of SUIDs was that ACLs would not need to be updated. If the
> > DN is included in ACL entries, won't the ACL need to be updated when the
> > DN changes, even if the SUID doesn't change?

As I said earlier, the timeliness of the annotation changes would not be
as critical, also that ACL engines can update the annotations asynchronously.

> > I even question the basic premise that it is desirable to allow ACLs
> > to remain valid in the face of organizational changes. If I change
> > jobs within the organization (say from engineering to marketing :-),
> > it's likely that any ACLs I have would have to be updated to reflect
> > new duties and responsibilities.

In this case, it is ALSO a bad idea to include DN's in the ACL. It would be
better to just put something like (Company X, Engineering Department, Project
Managers) on the ACL's, as oppose to put an individual's DN there.

> > If the whole organization
> > changes it's name but not its structure (say, from Esso to Exxon),
> > it seems like a fairly trivial mechanical process to change every
> > occurrence of "Esso" within every ACL entry to "Exxon".

We may not even know which applications have been using these DN's in their
ACLs.

Shyh-Wei

[The discussion about key fingerprints seems to have fragmented into several
threads in private mail, I'll try and recombine them using the summary below]

First, a clarification of what I meant with the hash of the public key. I
didn't mean the ID should be the hash of the entire cert, but only the public
key components:

KeyID ::= DigestInfo -- Hash of SubjectPublicKeyInfo

The idea is that instead of saying "Fetch the cert for this incredibly
complicated and ambiguous DN" you can say "Fetch the cert for this short,
unambiguous blob". Basically the hash acts as a key (in the database sense,
not the crypto sense) for the cert.

(A useful side-effect is that you can regenerate the keyID from the public or
private key at any point. I have an implementation which uses PGP private
keys with X.509 public keys, using keyID's to match the two up. This could
finally provide a means to marry PGP with X.509).

In practice you use the hash/key to fetch the cert (eg from an RDBMS), then
once you have it you handle the DN-based identity as required (or just ignore
it if you have the hash present as an authenticated attribute. One system I
know of completely ignores the DN because it serves no useful purpose, all they
want to do is authenticate messages and they can do that because they know that
the hashes identify a key used by a given site and user). It's basically a
(secure) variant of PGP's keyID's.

The drawbacks of this have been pointed out by several people: That if the same
person/entity switches to a new key and the only identification available is
the keyID, the change will (for example) invalidate ACL entries because they're
tied to a keyID and not a person/entity.

However I don't think this is such a big problem. Instead of saying "My name
is <DN>, grant me access", you say "My keyID is <blob>, grant me access", and
if any record of the entity associated with the keyID is required, the access
control software uses it to look up whatever it is that's required to record
who was granted access (name, employee number, job title, even a DN if you
insist). Given that the current use of a DN is simply as a very long, complex,
and often ambiguous blob which requires a hierarchical database to work, what's
wrong with using a short, succint, totally unambiguous blob which works with a
normal relational database instead?

I'm not proposing that this supplant the DN, but that it complement it. In a
great many situations a DN is completely unnecessary. Using an unambiguous
keyID like this neatly bypasses the X.500/DN mess, means you can use an RDBMS
instead of X.500/LDAP, and the whole thing basically just *works*. Consider
the extraordinary amount of time which has been devoted by experienced users to
debating how many angels can fit on the head of an RDN, and then think of what
the unwashed masses will do once they get their hands on DN's...

Peter.

> From: Kepa Zubeldia <***@kepix.arcanvs.com>
>
> Steve,
>
> I understand the problem about using the same key in multiple certs.
> However, I am becoming increasingly concerned about my ability to
> maintain a large cert wallet ten years from now.
>
> In the physical world, if my wallet is stolen, all my credit cards
> are compromised. It would be easier for me to carry one smart card
> with all my accounts and let me decide which account to use for each
> transaction, instead of having a thick wallet with all the cards.
> The end result is the same.

Absolutely. So what is the real-world requirement for you to maintain
a large cert wallet, and what is the motivation for using the same key
on more than one cert?

It would be easiest if you had a single keypair and a single cert that
you use for all accounts - writing checks at the bank, checking out a
video at Blockbuster, charging something at Macy's, etc. If the strength
of the cert issuer is greater than the strength requirements of all the
prospective account issuers, this is possible, and certainly much easier
on the consumer than having each bank, store, library, etc issuing its
own certs.

But if you assume that you will have different certificates for different
purposes, what precisely is the advantage of sharing keys between any
of them? You still need a fat wallet and the administrative burden of
choosing which cert to use. It should be no more difficult to choose
between two certs with different keys than between two certs with the
same key. What benefit is there to sharing keys?


> In the computer world, if one of my private keys is compromised, most
> likely all of the keys on that hard drive (or storage device) should
> be revoked, because they are also at risk.

That's a plausible example. But why does that argue for sharing
keys between certs? If you use different keys for different certs, you
have the option of revoking one, some, or all of them as circumstances
dictate. If you have a single key for all purposes, you lose all
flexibility for handling them differently. You can't store some
private keys more securely than others (on a token vs. a hard drive),
for example.

> From: ***@cs.auckland.ac.nz (Peter Gutmann)
>
> The idea is that instead of saying "Fetch the cert for this incredibly
> complicated and ambiguous DN" you can say "Fetch the cert for this short,
> unambiguous blob". Basically the hash acts as a key (in the database sense,
> not the crypto sense) for the cert.

This is entirely an implementation issue, unrelated to the certificate
format. Every public key certificate contains a public key :-), therefore
every database or application that wants to use the hash of the public
key as the keyID can do so. No special keyID field is needed in the
cert itself - it would just be redundant information.

>
> The drawbacks of this have been pointed out by several people: That if the same
> person/entity switches to a new key and the only identification available is
> the keyID, the change will (for example) invalidate ACL entries because they're
> tied to a keyID and not a person/entity.
>
> However I don't think this is such a big problem. Instead of saying "My name
> is <DN>, grant me access", you say "My keyID is <blob>, grant me access", and
> if any record of the entity associated with the keyID is required, the access
> control software uses it to look up whatever it is that's required to record
> who was granted access (name, employee number, job title, even a DN if you
> insist).

This discussion started with the desire for a *persistent* identifier,
not a *short* identifier. The DN is completely general, and can contain
whatever amount of persistence is desired by the certificate issuer -
the more information you stuff into a DN, the less it's expected
lifetime. But the DN is always expected be more persistent than the
public key / keyID.

The public key (or keyID) has the least persistence because it is (or
should be) updated every time the certificate is refreshed. If you
assume that the public key is the entity's ID and that mapping
keys/keyIDs to identity/privilege is a local matter, then there is no
need for certificates at all! The only service provided by the CA
in the ACL/Persistent ID scenario is the ability to periodically update
keys. If you want to use keyID as the ACL identity, then instead you
should just store the public key in the ACL and forget all about
certificates. I believe this was Peter Williams' point that using
certs as input to ACLs is a pretty rudimentary form of privilege
management.

David,

***@missi.ncsc.mil (David P. Kemp) wrote:
>
> In any case, here are the comments Steve was referring to. I'd draw
> particular attention to your item (4) - if you are going to include
> DNs in ACLs, even for annotation purposes, there is no advantage to
> using SUIDs. It is worse to include erronious "comments" in an ACL
> (if the DN changes but the SUID/ACL is not updated) than to include
> no annotation at all.

>
> > (4) When authorization is based solely on the Subject UID, the whole name (DN)
> > can still be included on ACL entries for the ease of browsing and
> > management.

It is NOT unusual to include some outdated non-crtical information pertaining to
subject identities in today's businesses. If I am a business owner,
I would rather to be able to keep the old information (such as old addresses,
names before marriages, etc.) until I can get updates, as long as I still have the
correct Subject UID information. The updates of the annotations in ACLs can be
automated upon accesses based on the names cited in new certificates when used.

There are at least two other potential means for application to update name or
other (non-Subject-UID) attribute information in the ACLs.

(1) Applications may refresh the attribute information through a protocol with
CA's or directories for pulling up-to-date certificates to update annotations to
Subject UID's.

(2) Applications may provide an interface for on-line, user initiated updates
of attributes (except the Subject UID). Note that these updates can be
automatically verified with the use of the new certificates. No additional
name-update protocol between CA's and applications is needed.

If an application cannot tolerate outdated ACL annotations at all, it still can
use DN's in ACL entries. However, other applications that can tolerate outdated
name/attributes or can handle *access-time* updates should be allowed to do so.
Providing a Subject UID (that itself guarantees temporal uniqueness of
identities) in the certificates provides this freedom to applications.

I believe San Jose Mercury, Time, PC Magazine, Consumer Report, all my other
subscriptions, and even my banks *can* tolerate my old name if I decide to get an
official English name. Can you? :-)

Shyh-Wei

Unaccustomed as I am to lurking and reading a thread before jumping in with
a response, I finally seem to be back on the PKIX mailing list, and would
like to contribute my 2 cents. Because I believe this is primarily a PKIX
subject, I've deleted the ssl-talk list, but have no objection if someone
wants to repost it there.

Shyh-Wei Luan led off by saying:

>I have some concerns with how people are using X.509 certificates and a
>recommendation of depend ending on non-reusable names.
>
>X.509 certificate has the following two fields that are used to
>define a subject's identity, where the "subject" is the entity being
>authenticated.
>
> subject
> subjectUniqueID
>
>The "subject" field identifies the entity with a general name, where
>the subjectUniqueID field is used to handle the possibility of reuse of
>subject's general name. It is currently suggested in
>draft-ietf-pkix-ipki-part1-04.txt, "Internet Public Key Infrastructure,
Part
>I: X.509 Certificate and CRL Profile," that the subject name should not be
>reused, and the subjectUniqueID should be left unused.
>
>Here are two paragraphs excerpted from the draft:
>
>"The subject name identifies the entity associated with the public key
>stored in the subject public key field. The subject identity may be
carried
>in the subject field and/or the subjectAltName extension. If identity
>information is present only in the subjectAltName extension (e.g., a key
bound
>only to an email address or URI), then the subject name may be an empty
>sequence and the subjectAltName extension must be critical."
>
>"The subject and issuer unique identifier are present in the certificate
>to handle the possibility of reuse of subject and/or issuer names over
time.
>This profile recommends that names not be reused and that Internet
certificates
>not make use of unique identifiers. CAs conforming to this profile should
not
>generate certificated with unique identifiers. Applications conforming to
>this profile should be capable of parsing unique identifiers and making
>comparisons."
>
I agree with his concern, independent of his rationale.

As several people have pointed out, the use of a multiple-value terminal RDN
in a DN is almost inevitable in any large organization, just because people
sometimes have the same name as others. Within a named organization, which
is a de facto name registration authority, the use of a serial number is
both useful and convenient as a way of differentiating between two people
with the same name. Of course, the serial number by itself doesn't tell you
which one is which -- in the case of a directory you need to look at some
other attribute, such as organizational unit, hair and eye color, a
digitized photograph ,etc., to differentiate between two such individuals.
In the case of a certificate, you may or may not have access to the other
qualifying information, depending on what the individual decides to make
available.

Because standards are notorious for specifying the syntax with exactitude,
while remaining silent on the issue of semantics, I would recommend that the
use of a multi-valued RDN as a means of identifying a user be specifically
encouraged. And we should not only address the issue of uniqueness in terms
of space, but also time, and take some kind of position with regard to the
reuse of a DN after the first individual dies or leaves the organization.

However, just identifying the individual uniquely is not sufficient, and
unless I have suddenly had a metal lapse we will need a subjectUniqueID in
order to differentiate between the different certificates that a single,
unambiguously identified user may validly possess.

I will certainly have at least two certificates -- one for encryption, and
one for signing documents. I may choose to use a number of different
encryption/decryption key pairs to limit the loss in the event one key is
compromised. I may have keys from a variety of CAs, and I may use more than
one algorithm.

The profile recommends that names not be reused, and then seems to conclude
that if names aren't reused there will be no need to use a uniqueID. But
this isn't true -- I the user can certainly reuse my own name across
multiple certificates, and so a uniqueID is needed.

Now let me return to the issue of what kind of a multi-valued RDN qualifier
should be used to create/guarantee uniqueness.

Except in the case of an organizational person, whose DN includes the name
of the organization which is effectively acting as a name registration
authority, I believe that the terminal RDN should be a triple, consisting of
the user's commonName, THE NAME OF THE NAME REGISTRATION AUTHORITY, and the
serial number assigned by that name registration authority.

As I am sure that Sharon Boyen remembers, during the waning days of its
existence the NADF tried to grapple with the issue of how to assign unique
names to residential persons, when the "natural" geopolitical name
registration authority did not exist or was not prepared to carry out that
function.

In the early days of PEM, we rather blithely assumed that the various states
would inevitably step up to the role of registering the citizens within its
territory and assigning some kind of an ID (like a driver's license number)
to ensure uniqueness. Unfortunately, it has become obvious that the states
haven't yet seen fit to carry out our mandate.

No sweat, we said -- we'll just put a sufficient amount of information in
the DN as to ensure uniqueness, including the state, city or locality name,
street address, apartment number, etc. I even started a treatise on naming
for all sorts of obscure conditions -- jails and other forms of communal
living, addressing issues in territories such as the Marshall Islands, how
nomadic peoples and Indian tribes are address, what to do about APO
addresses, merchant ships, and quasi-permanent structure beyond the
continental limits (oil towers and ocean mining, etc.).

Charlie Combs of MCI did an fascinating study of names in one of the popular
phone listing CDS which revealed all sorts of interesting anomalies. (For
example, there were 23,852 Smith's in Tennessee, of which the most popular
first name was Naid, and out of the 46,103 Smith's in Florida, 170 had the
name Riet M?? And in Los Angeles, there were 1098 Smith's registered in the
90000 ZIP (which doesn't exist), most of whom had no first name and no
street address. It turns out that in California, the telephone company
charges you more for an unlisted number, but doesn't check to see if you
name or address are correct, or even meaningful.

But Sharon brought me up short with a feminine perspective that hadn't
occurred to me. In an X.500 directory, the Distinguished Name is available
for everyone to see, and cannot be subject to access controls. She pointed
out that many people, especially single women, are not likely to want to
have their complete name and street address available for everyone to see,
and routinely list only their first initial.

So for residential users we have a potentially serious privacy problem if we
assume that name resolution will be performed by address qualification. In
addition, as a result of competition, there is no natural monopoly that we
could count on within a given territory. Even local telephone companies
service boundaries do not necessarily correspond to geopolitical boundaries.
And Internet Service Providers and CAs obviously compete for business.

So the best suggestion that I can come up with is to list the name of the de
facto name registration authority as the second element of the terminal RDN,
followed by a unique serial number assigned by that authority. In many
cases the name registration authority will be the CA, and there is nothing
wrong with that. But at least conceivably the name registration authority
might not be the CA -- it could be the IEEE, or the ACM, or the American Bar
Association, etc. It could even be a different CA, so long as that CA can
still assure name uniqueness. And there are some due diligence issues
involved in using an organization plus a membership number, like what if
that person is no longer a member in good standing.

I almost hesitate to suggest it, but there is one other possibility. I once
wrote a paper on military and commercial computer security issues that
focused on Integrity, and I observed that the Discretionary Access control
requirements for B3 level systems require the ability to not only include a
specif individual, but also to exclude named individuals. If that
requirement were taken seriously at a network level, it would presumably
mean that such individuals ought to be excluded from access even through
they had changed their name, obtained multiple certificates from different
name registration authorities, etc.

The only scheme that I could come up with that would solve that problem was
the use of a message digest that would be computed over specific elements or
fields in an individual's birth certificate (or record of adoption or
immigration documents in the case of people coming from countries where such
records are not kept). As I recall, I included the subject's birth name, the
mother's maiden name, the date/time and place the birth occurred, and the
name of the person registering the birth (normally the attending physician).
Except possibly for born-again Christians, this information never changes,
and would apply throughout most of the world.

The reason why I hesitate to suggest it is that although it would be very
powerful, and could be rather easily verified, it could easily become a
ubiquitous international ID number. Anyone without one would effectively be
an "unperson".

Bob



Robert R. Jueneman
Security Architect
Novell, Inc.
Internet Infrastructure Division
122 East 1700 South
Provo, UT 84604
801/861-7387
***@novell.com

This is directed to the authors of <draft-ietf-pkix-ipki-part1-04.txt>

The recent discussion on X.509 subject name field caused me to examine the
definitions in the document closely. Currently the subject name field is
defined (section 4.1 & section 9) as a sequence of RNDs, *NOT* as a DN.
While it is true that all DNs are sequences of RDNs, not all sequences of
RDNs are DNs. Steve Kent, in a private communication, assured me that the
intent is to be the same as X.509, which defines the field as a DN. (I don't
have ready access to that spec.)

Therefore, I suggest changing the draft spec to say that subject name (and
issuer name) are specifically DNs.

My inclination is to go further and say that the subject name field is
intended to be unique per issuer, but perhaps that is beyond the scope of
the document.

Hal
=================================================================
Harold W. Lockhart Jr. PLATINUM technology, Inc.
Chief Technical Architect 8 New England Executive Park
Email: ***@platsol.com Burlington, MA 01803 USA
Voice: (617)273-6406 Fax: (617)229-2969
=================================================================

> From: Hal Lockhart <***@platsol.com>
>
> This is directed to the authors of <draft-ietf-pkix-ipki-part1-04.txt>
>
> The recent discussion on X.509 subject name field caused me to examine the
> definitions in the document closely. Currently the subject name field is
> defined (section 4.1 & section 9) as a sequence of RNDs, *NOT* as a DN.

Section 4.1 defines the tbsCertificate.subject field as a "Name", but does
not include the definition of Name. (I suggest that definitions for
AlgorithmIdentifier and Name be included in section 4.1 as well as section
9.) Section 4.1.2.6 is silent on the definition of Name, but does say that
the subject identity may be contained in either the subject field or the
subjectAltName extension.

Section 9 includes the following:

Name ::= CHOICE { rdnSequence RDNSequence -- only one possibility }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

DistinguishedName ::= RDNSequence


> While it is true that all DNs are sequences of RDNs, not all sequences of
> RDNs are DNs. Steve Kent, in a private communication, assured me that the
> intent is to be the same as X.509, which defines the field as a DN. (I don't
> have ready access to that spec.)

This definition of Name in <draft-ietf-pkix-ipki-part1-04.txt> is identical
to (i.e. taken directly from) the definition of Name in X.501. X.509
imports this definition from X.501. Not only is the *intent* for PKIX to
be the same as X.509, the ASN.1 is identical.

I don't understand your comment. As I read the ASN.1 definition,
DistinguishedName and RDNSequence are synonymous. Can you provide an
example of a sequence of RDNs which is not a Distinguished Name?

Or, disregarding the ASN.1 definition for a moment, what point did
you wish to make about subject names? What types of RDN sequences
do you wish PKIX to disallow?


> My inclination is to go further and say that the subject name field is
> intended to be unique per issuer, but perhaps that is beyond the scope of
> the document.

I believe it should be allowable for a single issuer to create multiple
certificates containing the same subject name, but differing in some
other attribute. For example, to allow:

* overlapping validity periods (issue a replacement cert slightly before
the previous cert expires, to provide a grace period).

* different subjectPublicKeyInfo fields (one certificate with a digital
signature key and another with a privacy-enabling key,
or two signature certificates with different signature algorithms).

* different privilege-granting extensions (attached to different public
keys, of course).

The issuer/serial-number pair is guaranteed to uniquely identify a
certificate, but I don't see any reason to require issuer/subject-name
to be unique. On the contrary, it would be quite harmful for PKIX to
preclude the above examples.

> From: Bob Jueneman <***@novell.com>
>
> Unaccustomed as I am to lurking and reading a thread before jumping in with
> a response, I finally seem to be back on the PKIX mailing list, and would
> like to contribute my 2 cents.

Welcome back, Bob!

> However, just identifying the individual uniquely is not sufficient, and
> unless I have suddenly had a metal lapse we will need a subjectUniqueID in
> order to differentiate between the different certificates that a single,
> unambiguously identified user may validly possess.


An unambiguously identified user may indeed have multiple certificates, but
what purpose does a subjectUID have in distinguishing between them? The
serialNumber field is already unique per issuer. Assuming that the
"multiple humans with the same DN" issue is solved by the
multiple-attribute terminal RDN, what other problem is addressed by
a subjectUID that could not be addressed by using the serialNumber?



>
> [fascinating naming discussion snipped]
>

>There is an issue here that merits discussion: the logotype is
>presumably useful only when people are being asked to accept/reject
>certs, in addition to or in lieu of the many software-based controls
>that v3 certs offer. If the use is in lieu of use of more extensive
>software-based controls, there may not be a conflict, since the
>context is probably that of a TTP CA where NameConstraints and
>similar controls are of minimal use. However, if the syntactic
>controls are also in use, a logotype extension may be of limited
>value and might easily degrade security.

The following paper motivates the need for an extension similar to that
proposed and shows a basic attack on SSL using a web browser that having
logos/visual cues in certificates helps mitigate.

A. Jøsang, I.G. Pedersen and D. Povey. PKI seeks a trusting relationship.
In Proceedings of the Fifth Australasian Conference on Information Security and
Privacy (ACISP 2000), Brisbane, July 2000. Springer.
http://security.dstc.edu.au/papers/pkitrust.pdf

The basic idea is this:

1. The user is fooled into connecting to the attacker using a false URL
on a portal or by some other means (a sophisticated attack could
intercept the request and use HTTP redirects on unsecured HTTP leading
to get them to connect to the attacker's web server.

2. The attacker's web page masquerades as a legitimate business. They
could do this by simply replicating a target site's web page. They then
present a service to buy goods or perform some transaction using an
SSL secure connection.

3. The user connects to the secure connection, accepts the SSL certificate
and then submits their credit card details/bank account
PIN to the attacker.

Note that this attack will only work if:

1. The user doesn't realise that the URL of the site they are connecting
to is the wrong one for the legitimate business. In practice this
will probably be true even if the attacker takes no steps to hide or
mask this fact. However the attacker can easily register domain names
that could plausibly represent the target site (e.g. for Bank Of America
which of the following is correct: www.bankofamerica.com, www.bom.com,
bom.commerce.net, www.bankofamerica.us, www.bankofamerica.tv etc.).
Presumably most CAs will issue you an SSL server cert if you can prove
ownership of the domain.

2. The user doesn't bother to check the details of the Certificate. Note this
involves some effort and knowledge on behalf of the user, most users
would just see the little lock icon and happily enter their details.

The problem is caused by lack of feedback from the security mechanism about
the trust aspects of the transaction. While the browser goes to a lot of
trouble to verify the cryptographic aspects of the SSL connection, the link
between the authentication and the actual organisation the user thinks they
are contacting is quite tenuous.

Adding some sort of visual identifier, such as a company logo to a
certificate and displaying this in a prominent place in the browser would
go a long way to ameliorating this problem.

However, I for one would be more interested in seeing this in a separate
I-D/RFC rather than son-of-2459. I also agree that is seems silly to stuff
the image in the certificate, instead something along the lines of:

SubjectLogo ::= SEQUENCE {
location GeneralName,
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}

seems appropriate. If you really want to go for a space save you could
make the digestAlgorithm OPTIONAL and have it use whatever is used to
generate the signature if it is not present.

Which begs the question, having a signed embedded reference (as opposed to
something like SubjectDirectoryAttributes) to arbitrary external content in
a Certificate seems to me to be wholly useful thing to want to do (e.g.
CPS, user agreement, photo of user's cat etc). So is it worth perhaps
generalising something like the above to support this, e.g.

SubjectAuthenticatedReferences ::= SEQUENCE OF AuthenticatedReference

AuthenticatedReference ::= SEQUENCE {
location GeneralName,
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}

or numerous permutations thereof. Or perhaps such a beast exists already?

Just my $0.02.

--
Dean Povey, | e-m: ***@dstc.edu.au | JCSI: Java Crypto Toolkit
Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282 | systems
Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit

>> Adding some sort of visual identifier, such as a company logo to a
>> certificate and displaying this in a prominent place in the browser would
>> go a long way to ameliorating this problem.
>
>And what's to prevent the badguy from just copying the info out of a
>real cert? Fear of violating the trademark law?
> /r$

I should have explained. It only works if the browser does something
sensible like displays the logo in a prominent place where the user will
notice and which can't be recreated by just straight HTML. Kind of like
the way the lock clicks on to tell you you have a secure connection.
Presumably the CA will perform some due-dilligence when certifying company
logos.

Cheers

--
Dean Povey, | e-m: ***@dstc.edu.au | JCSI: Java Crypto Toolkit
Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282 | systems
Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit

>I should have explained. It only works if the browser does something
>sensible like displays the logo in a prominent place where the user will
>notice and which can't be recreated by just straight HTML. Kind of like
>the way the lock clicks on to tell you you have a secure connection.
>Presumably the CA will perform some due-dilligence when certifying company
>logos.

To make the scheme clearer, one of the other authors on the first paper I
mentioned has recommended a more recent paper with more detail.

A. Jøsang, M.A. Patton and A. Ho. Authentication for Humans. In the
Proceedings of the 9th International Conference on Telecommunication Systems.
Dallas, March 2001. http://security.dstc.edu.au/papers/authum.pdf

Cheers.
--
Dean Povey, | e-m: ***@dstc.edu.au | JCSI: Java Crypto Toolkit
Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282 | systems
Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit

Colleagues - I am supportive of the idea of including branding information
in certificates. I recognize Steve's concern. But, I suggest that there
should be no impact on processing rules ... other than ... in applications
where the relying party is a human, the logo from the very first certificate
in the path should be displayed to him/her. When a relying party accepts a
trust anchor, their experience should be identical regardless of the details
of the remainder of the path. Best regards. Tim.


-----Original Message-----
From: Stephen Kent [mailto:***@bbn.com]
Sent: Monday, March 19, 2001 11:47 AM
To: Stefan Santesson
Cc: ietf-***@imc.org
Subject: RE: Logotypes in certificates


Stefan,

I have mixed feelings about this proposal. We have, in the
NameConstraints extension, a powerful mechanism for making cross
certification a safe thing to do. If one were to include a logotype
extension in a cert that was issued by a CA who had been cross
certified using name constraints, it holds the potential for
seriously undermining the controls imposed by NameConstraints.

There is an issue here that merits discussion: the logotype is
presumably useful only when people are being asked to accept/reject
certs, in addition to or in lieu of the many software-based controls
that v3 certs offer. If the use is in lieu of use of more extensive
software-based controls, there may not be a conflict, since the
context is probably that of a TTP CA where NameConstraints and
similar controls are of minimal use. However, if the syntactic
controls are also in use, a logotype extension may be of limited
value and might easily degrade security.

So, I would be opposed to PKIX approving this sort of extension (even
as a separate RFC from 2459bis) without imposing significant
constraints on the contexts in which it is to be used, including
limitations on its use in conjunction with other extensions, e.g.,
NameConstraints. What worries me even more, is that we might have to
extend/modify the validation procedure to enforce such
inter-extension constraints, which would then affect 2459bis!

Steve

--
Regards,
Todd
> Colleagues - I am supportive of the idea of including branding information
> in certificates. I recognize Steve's concern. But, I suggest that there
> should be no impact on processing rules ... other than ... in applications
> where the relying party is a human, the logo from the very first certificate
> in the path should be displayed to him/her. When a relying party accepts a
> trust anchor, their experience should be identical regardless of the details
> of the remainder of the path. Best regards. Tim.


This this is an instance wherein you are talking about
is the end-use model for the cert and not the cert
content. It is important to differentiate the two
since use of a cert is more an applications level effort.

The concept in "displaying" squat to anyone takes the
issue out of the "content" and into the "use of" realms
which seems to be more "application oriented" than ANYTHING,
and as such not something that PKIX should be
concerning itself with unless it is going to change again
and start to publish certified use models for its wares.

In which case the structure and accountability of PKIX for
what it is producing must also change significantly more
towards the ISO standards I think.


>
>
> -----Original Message-----
> From: Stephen Kent [mailto:***@bbn.com]
> Sent: Monday, March 19, 2001 11:47 AM
> To: Stefan Santesson
> Cc: ietf-***@imc.org
> Subject: RE: Logotypes in certificates
>
>
> Stefan,
>
> I have mixed feelings about this proposal. We have, in the
> NameConstraints extension, a powerful mechanism for making cross
> certification a safe thing to do. If one were to include a logotype
> extension in a cert that was issued by a CA who had been cross
> certified using name constraints, it holds the potential for
> seriously undermining the controls imposed by NameConstraints.
>
> There is an issue here that merits discussion: the logotype is
> presumably useful only when people are being asked to accept/reject
> certs, in addition to or in lieu of the many software-based controls
> that v3 certs offer. If the use is in lieu of use of more extensive
> software-based controls, there may not be a conflict, since the
> context is probably that of a TTP CA where NameConstraints and
> similar controls are of minimal use. However, if the syntactic
> controls are also in use, a logotype extension may be of limited
> value and might easily degrade security.
>
> So, I would be opposed to PKIX approving this sort of extension (even
> as a separate RFC from 2459bis) without imposing significant
> constraints on the contexts in which it is to be used, including
> limitations on its use in conjunction with other extensions, e.g.,
> NameConstraints. What worries me even more, is that we might have to
> extend/modify the validation procedure to enforce such
> inter-extension constraints, which would then affect 2459bis!
>
> Steve

Todd,

I may have misunderstood you but the proposal to include logotype
information is definitely about certificate content.

The proposal suggests a method to contain relevant information about
logotypes in certificates in a way that allows a client to get, validate
and display the logo to an end user.

How the client does that is not the major issue, just to provide the
possibility.

/Stefan

At 15:20 2001-03-20 +0000, ***@att.net wrote:

>--
>Regards,
>Todd
> > Colleagues - I am supportive of the idea of including branding information
> > in certificates. I recognize Steve's concern. But, I suggest that there
> > should be no impact on processing rules ... other than ... in applications
> > where the relying party is a human, the logo from the very first
> certificate
> > in the path should be displayed to him/her. When a relying party accepts a
> > trust anchor, their experience should be identical regardless of the
> details
> > of the remainder of the path. Best regards. Tim.
>
>
>This this is an instance wherein you are talking about
>is the end-use model for the cert and not the cert
>content. It is important to differentiate the two
>since use of a cert is more an applications level effort.
>
>The concept in "displaying" squat to anyone takes the
>issue out of the "content" and into the "use of" realms
>which seems to be more "application oriented" than ANYTHING,
>and as such not something that PKIX should be
>concerning itself with unless it is going to change again
>and start to publish certified use models for its wares.
>
>In which case the structure and accountability of PKIX for
>what it is producing must also change significantly more
>towards the ISO standards I think.
>
>
> >
> >
> > -----Original Message-----
> > From: Stephen Kent [mailto:***@bbn.com]
> > Sent: Monday, March 19, 2001 11:47 AM
> > To: Stefan Santesson
> > Cc: ietf-***@imc.org
> > Subject: RE: Logotypes in certificates
> >
> >
> > Stefan,
> >
> > I have mixed feelings about this proposal. We have, in the
> > NameConstraints extension, a powerful mechanism for making cross
> > certification a safe thing to do. If one were to include a logotype
> > extension in a cert that was issued by a CA who had been cross
> > certified using name constraints, it holds the potential for
> > seriously undermining the controls imposed by NameConstraints.
> >
> > There is an issue here that merits discussion: the logotype is
> > presumably useful only when people are being asked to accept/reject
> > certs, in addition to or in lieu of the many software-based controls
> > that v3 certs offer. If the use is in lieu of use of more extensive
> > software-based controls, there may not be a conflict, since the
> > context is probably that of a TTP CA where NameConstraints and
> > similar controls are of minimal use. However, if the syntactic
> > controls are also in use, a logotype extension may be of limited
> > value and might easily degrade security.
> >
> > So, I would be opposed to PKIX approving this sort of extension (even
> > as a separate RFC from 2459bis) without imposing significant
> > constraints on the contexts in which it is to be used, including
> > limitations on its use in conjunction with other extensions, e.g.,
> > NameConstraints. What worries me even more, is that we might have to
> > extend/modify the validation procedure to enforce such
> > inter-extension constraints, which would then affect 2459bis!
> >
> > Steve

>
>I also suppose that the only way a logotype could undermine the naming
>schema is if logotypes have such significant impact on entity recognition,
>that users in general would se the logo and not notice that the DN is in
>conflict with the logotype.
>
>If this is correct then you acknowledge the importance of logotypes as
>instrument of recognition, which speaks for that we should find a way to
>handle logotypes in certificates and not the opposite.

Surely it would be the responsibility of the CA to determine the logo ->
DN mapping. From a software perspective the path validation algorithm
should not be affected. The logo is just there to help the user make a
better decision about whether to trust the certificate.

Cheers.



--
Dean Povey, | e-m: ***@dstc.edu.au | JCSI: Java Crypto Toolkit
Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282 | systems
Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit

Steve,
This is the same argument as a CA issuing a cert to a
subordinate, who issues incorrect certificates with it - e.g.
issues a certificate for the domain www.amazon.com to say BN.

Either a CA controls/audits subordinate CAs, or has enough
reason to trust them, or the value of that hierarchy is
pretty useless.

I don't think logos in certificates affect this either way.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ***@valicert.com
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Stephen Kent [mailto:***@bbn.com]
> Sent: Tuesday, March 20, 2001 8:57 PM
> To: Dean Povey
> Cc: ietf-***@imc.org
> Subject: Re: Logotypes in certificates
>
>
> Dean and Stefan,
>
> As a security kinda' guy, I always approach this from the "what will
> the bad giy do" perspective. From that perspective, I worry that a
> TTP CA will cerfity company X, putting the company X logo in the
> cert. Then company X will issue a cert to a subordinate CA, and put
> in that cert an inappropriate logo. It is not realistic for an app to
> display a chain of logos, and expect a user to pay attention, any
> more that if one displayed a chain of DNs. I still maintain that we
> can agree on what would be a reasonable set of circumstances in which
> the logo extension would be useful and safe, but I don't see a
> technical means of enforcing these circumstances without changes to
> the path validation algorithm. I am open to suggestions that provide
> the necessary controls and don't have this unfortunate side effect,
> but I have yet to see an example of such.
>
> Steve
>

Wouldn't Logotypes most easily be implemented as an OTHER-NAME within
one of the alternate name fields (probably SubjectAltName)? If so, how
would they affect NameConstraints and the like? IMHO, they would have
little effect on them since logos are not hierarchical names and thus
couldn't easily be governed by NameConstraints.
Since they are naming (or at least identifying) information about the
subject or issuer, I don't see why they should be in a different extension.
IMO, the standard way of displaying these should be to display the logo
along with the text of the highest-precedence ID for that entity anyway.
Binding them together in the same extension would encourage that.

Tom Gindin


Ambarish Malpani <***@valicert.com> on 03/21/2001 12:06:35 PM

To: "'Stephen Kent'" <***@bbn.com>, Dean Povey <***@dstc.qut.edu.au>
cc: ietf-***@imc.org
Subject: RE: Logotypes in certificates




Steve,
This is the same argument as a CA issuing a cert to a
subordinate, who issues incorrect certificates with it - e.g.
issues a certificate for the domain www.amazon.com to say BN.

Either a CA controls/audits subordinate CAs, or has enough
reason to trust them, or the value of that hierarchy is
pretty useless.

I don't think logos in certificates affect this either way.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ***@valicert.com
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Stephen Kent [mailto:***@bbn.com]
> Sent: Tuesday, March 20, 2001 8:57 PM
> To: Dean Povey
> Cc: ietf-***@imc.org
> Subject: Re: Logotypes in certificates
>
>
> Dean and Stefan,
>
> As a security kinda' guy, I always approach this from the "what will
> the bad giy do" perspective. From that perspective, I worry that a
> TTP CA will cerfity company X, putting the company X logo in the
> cert. Then company X will issue a cert to a subordinate CA, and put
> in that cert an inappropriate logo. It is not realistic for an app to
> display a chain of logos, and expect a user to pay attention, any
> more that if one displayed a chain of DNs. I still maintain that we
> can agree on what would be a reasonable set of circumstances in which
> the logo extension would be useful and safe, but I don't see a
> technical means of enforcing these circumstances without changes to
> the path validation algorithm. I am open to suggestions that provide
> the necessary controls and don't have this unfortunate side effect,
> but I have yet to see an example of such.
>
> Steve
>

Though I don't favor including logotype or reference to a logotype to a
cert, considering it as a pure marketing trick (sorry, Stefan :), but my
realisation was that a logotype is by no means related to the establishment
of trust. It is 100% meant for a human eye only, and verification algorithm
should simply ignore it, as it ingores any other proprietory extentions. If
the verification comes up with an answer 'not validated', and the software
prompts a user saying 'couldn't validate', and the user still makes a
decision to trust the cert, it is an application's problem, which already
exists now, and logotypes add no extra pitch to it.

As an extreme, if a CA considers logotypes to be anyhow harmful, it simply
won't have a logotype in its own cert, and refuse certification of
logotypes.

Michael
-----Original Message-----
From: Ambarish Malpani [mailto:***@valicert.com]
Sent: Thursday, March 22, 2001 4:07 AM
To: 'Stephen Kent'; Dean Povey
Cc: ietf-***@imc.org
Subject: RE: Logotypes in certificates



Steve,
This is the same argument as a CA issuing a cert to a
subordinate, who issues incorrect certificates with it - e.g.
issues a certificate for the domain www.amazon.com to say BN.

Either a CA controls/audits subordinate CAs, or has enough
reason to trust them, or the value of that hierarchy is
pretty useless.

I don't think logos in certificates affect this either way.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ***@valicert.com
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Stephen Kent [mailto:***@bbn.com]
> Sent: Tuesday, March 20, 2001 8:57 PM
> To: Dean Povey
> Cc: ietf-***@imc.org
> Subject: Re: Logotypes in certificates
>
>
> Dean and Stefan,
>
> As a security kinda' guy, I always approach this from the "what will
> the bad giy do" perspective. From that perspective, I worry that a
> TTP CA will cerfity company X, putting the company X logo in the
> cert. Then company X will issue a cert to a subordinate CA, and put
> in that cert an inappropriate logo. It is not realistic for an app to
> display a chain of logos, and expect a user to pay attention, any
> more that if one displayed a chain of DNs. I still maintain that we
> can agree on what would be a reasonable set of circumstances in which
> the logo extension would be useful and safe, but I don't see a
> technical means of enforcing these circumstances without changes to
> the path validation algorithm. I am open to suggestions that provide
> the necessary controls and don't have this unfortunate side effect,
> but I have yet to see an example of such.
>
> Steve
>


This footnote confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.