|
|
Re: Last Call: Internet X.509 Public Key Infrastructure Certificate an: msg#00247ietf.x509
Tim, Steve, thank you for your answers. I won't talk about UID & emailAddress anymore. I'd like to get your opinion on a last change : Should, for interoperability sake, "a serial number, where the number is an employee ID" be part of the PKIX part 1 DNs ( X.520 serialNumber ? X.520 uniqueIdentifier ?) or is it the purpose of X.520 dnQualifier, mentioned in the PKIX part 1 ? I'm trying to understand how business A employees & services can deal with business B employees, if the COTS applications and CAs do not provide means to parse business B DNs, in particular the "serial number, where the number is an employee ID". Hence my insistance on this topic. I have never used COTS (common off the shelf) applications and CAs using X.520 serialNumber, X.520 uniqueIdentifier or X.520 dnQualifier in a DN. I'm looking forward to be PKIX 1 compliant, and ask the same to my PKI software/service providers. The "serial number, where the number is an employee ID" is different from the serial number of the certificate issued by the CA (4.1.2.2 in the draft), if I needed to precise my thoughts. Regards, --francois Stephen Kent wrote: ... > >Our needs analysis show that in a 50000+ world-wide corporation, a > >personal rdn is not an easy task to perform : > > > >-cn is not sufficient as too many homonyms exist > >-location & country are inadequate for a mobile workforce > >as they create a high burden on the CA as people move. ... > >-access controls force to have personal company identifiers which are > >never reused by new employees. > > Large organizations I am familair with tend to use a terminal RDN that is a > set consisting of a common name and a serial number, where the number is an > employee ID. That makes use of existing data that is usually employed to > differentiate among employees, e.g., for payroll purposes. User login > names are often NOT globally unique, e.g., they need only be system unique. > > Steve -- Francois Leclerc SCHLUMBERGER Austin Product Center Associate Research Scientist 8311 North F.M 620 Road Fax: 1 512 331-3760 Austin, Texas 78726 USA Tel: 1 512 331-3133 fleclerc@xxxxxxx or leclerc@xxxxxxxxxxxxxxxxxx |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: ldapv2-schema and CA Certificates: 00247, Santosh Chokhani |
|---|---|
| Next by Date: | RE: ldapv2-schema and CA Certificates: 00247, Santosh Chokhani |
| Previous by Thread: | Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standardi: 00247, Stephen Kent |
| Next by Thread: | ETS Project on time-stamping: 00247, Jose A. Manas |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |