Karsten Ohme wrote:
What is done, if a another person has the same X.500 Distinguished
Name as another person. What is done if two John Does live in the
same place and wants to have a certificate from the same CA?
See
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html#DName
That flags up a more general problem, because European studies for ID
cards suggest that there will be a consensus about identifying people
with the following dataset (I'm using both European and USA conventions,
plus a now rather old-fashioned UK one):
- Forename / Christian Name / Given Name
- Surname / Family Name
- Date of birth
- Place of birth (town or city, state or other region name, country)
- Gender
- and a differentiator (formatting not specified) if there is a clash
and to that will be added, in a card attesting to residence:
Address of place of residence
Karsten pointed us to a Sun document in which the constituents of
Distinguished Name are those appropriate for an individual's position in
a company or other organisation.
The Sun document refers to a program keytool:
"keytool is a key and certificate management utility. It enables users
to administer their own public/private key pairs and associated
certificates for use in self-authentication (where the user
authenticates himself/herself to other users/services) or data integrity
and authentication services, using digital signatures. It also allows
users to cache the public keys (in the form of certificates) of their
communicating peers."
and then states:
keytool supports the following subparts:
* commonName - common name of a person, e.g., "Susan Jones"
* organizationUnit - small organization (e.g, department or
division) name, e.g., "Purchasing"
* organizationName - large organization name, e.g., "ABCSystems, Inc."
* localityName - locality (city) name, e.g., "Palo Alto"
* stateName - state or province name, e.g., "California"
* country - two-letter country code, e.g., "CH"
But that Sun document refers us to the ITU-T Recommendation X.500. Now I
don't have X.500 - you have to pay for it (25 Swiss Francs) to get it
from www.itu.int - and note that there is a provisional new edition
dated August 2005.
Note that there is a standard for country codes: ISO 3166 (part 1).
But European work has also established that there is a need for some
people to have information in more than one language and in more than
one alphabet (use ISO 10646 to encode the various alphabets). For
example: if you were born in Greece but live in the UK.
Also there is a need to be able to store the full name and perhaps other
title or indeed titles. Here's an example of an English Earl (given
because he is heavily involved in IT):
Sir Merlin Sereld Victor Gilbert Hay Moncreiffe, 24th Earl of Erroll,
25th Lord Hay, 24th Lord Slains, 12th Bt of Moncreiffe of that Ilk, 28th
Hereditary Lord High Constable of Scotland, 32nd Chief of The Hays
(quoted from E-business Regulatory Alliance http://www.e-ra.org.uk/team.htm)
A bit longer than my full name (I have one middle name).
And we keep saying: use X.509 certificates...
(Doesn't answer Karsten's question, but illustrates the complex field
that we are getting into)
What is important is that we try to use a self-defining dataset, i.e.
TLV coding, using tags specified in a recognised standard or
specification, along with OIDs identifying the document where the data
elements are defined. See for example eURI Part 1 (which is now accepted
as input for work on a full European Standard):
CEN/ISSS CWA 13987:2003 eURI
Smart Card Systems: Interoperable Citizen Services: Extended User
Related Information
Part 1: Definition of User Related Information and Implementation
Part 2: Implementation Guidelines
Part 3: Guidelines to Creating, Operating and Maintaining an
Interoperable Card Community
http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/cwa/euri.asp
But the Sun document uses keywords. e.g.
"When supplying a distinguished name string as the value of a -dname
option, as for the -genkey or -selfcert commands, the string must be in
the following format:
CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode"
because the keytool utility requires its parameters to be in that format.
Peter
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
