Presentation on theme: "Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston."— Presentation transcript:
Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston
Fed/Ed PKI 2008, June 3 OID.firstname.lastname@example.org, CN=William A. Weems, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Health Science Center at Houston CA, O=The University of Texas System Subject Distinguish Name
Fed/Ed PKI 2008, June 4 Certificate Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional)... Certificate Signature Algorithm Certificate Signature X509 Structure
Fed/Ed PKI 2008, June 5 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 22.214.171.124. Unique Identifiers These fields MUST only appear if the version is 2 or 3 (Section 126.96.36.199). These fields MUST NOT appear if the version is 1. The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time. This profile RECOMMENDS that names not be reused for different entities and that Internet certificates not make use of unique identifiers. CAs conforming to this profile MUST NOT generate certificates with unique identifiers. Applications conforming to this profile SHOULD be capable of parsing certificates that include unique identifiers, but there are no processing requirements associated with the unique identifiers. RFC 5280
Fed/Ed PKI 2008, June 6 Applications (commerce or anything else) will use the subject identity to make authorization decisions. Since names cannot be reused, new names will become more and more unnatural and hard to comprehend and memorize, and different people will have different ways in addressing the uniqueness. I believe it is natural and should be encouraged, if not required, to always associate the subject name with a unique identifier. Without this requirement, privacy and protection of subject's internet resources, financial assets, etc, can be all at risk. Shyh-Wei Luan, 23 May 1997
Fed/Ed PKI 2008, June 7 You can always achieve the effect of a unique identifier by adding an attribute value assertion into the distinguished name for that purpose. For example, if Common Name is not assigned so as to be inherently unique, you can add another attribute that carries Employee Number or Customer Number, which is arranged to be unique. Warwick Ford, VeriSign, Inc.Fri, 23 May 1997
Your consent to our cookies if you continue to use this website.