RE: Qualified Certificates draft - Country name
Tony Bartoletti <azb <at> llnl.gov>
1999-03-02 02:29:57 GMT
At 07:45 PM 3/1/99 -0500, tgindin <at> us.ibm.com wrote:
[I (Tony) wrote]
>Hence if "Atomic Elements" were the established top-level names,
>a CA could select one at random and assign it as the first
>identifying "element" in my certificate (if the goal were simply
>to make directories "navigable".)
>Why, exactly, is there a need to have THESE names correspond to
>anything in the "real world"? As long as an entity can be uniquely
>defined, it would be the corresponding CA who should hold whatever
>information about the entity that might reveal the qualified
>[Tom Gindin] The problem I see is that a client performing a verification
>needs to find the issuing CA (not just its own CA) itself. The main reason
>to have these names correspond to something sizable in the real world is to
>keep the number of top-level names manageable, and to have a defensible
>basis for allowing certain entities to be at the top level and others not.
>Since the set of major industries is roughly as stable as that of
>countries, if assignment authorities for them could be as clearly
>determined, they would be reasonable candidates for top-level entries - if
>somebody could impose a lower bound on what is a "major industry".
I understand that there need be a pre-arranged, limited number
of top-level (and why not second and third level) names to afford
efficient directory navigation.
But I cannot see why the directory-search hierarchy should have ANY
relationship to a possible real-world identification "taxonomy".
That is just asking for headaches, and security-related problems.
If I entered into a transaction with you, online or off, and you need
to determine the authenticity of my credentials, I MUST cooperate to
some degree. If you do not know my "country", for instance, then a
directory with "country name" at the top is of no use to you.
In order for you to find my "issuer", I must supply you with some
information. It will either be sufficient information for you to
locate my issuer, or it will not. Once you know that my issuer is
(say) VeriSign, you can validate my QC and be satisfied.
I find the concept of having the directory hierarchy itself mirror
my "identification taxonomy" to be disturbing. It appears designed
less for "leaf location" and more for "opportunistic trawling".
(I know her name, she lives in Germany, and works for XYZ GMBH.
Let's see if we can locate her QC and find out more about her...)
I know its late in the game, but since it is MY issuing CA who
must vouch for my QC, all they need is to ensure they can place
its location in the directory unambiguously, while the directory
is structured so that inefficient "clumping" does not occur.
If the top 4 levels of the directory were organized according to
4 arbitrary "bytes", then "P.Q.R.S.VeriSign.whatever-else" would
be sufficient to locate my issuer and validate my QC. The fact
that my neighbor (same street, same country, same organization)
has a QC located by "E.R.G.B.VeriSign.whatever-else" should pose
no problem at all. Now, any CA can simply generate 4 random bytes
and assign them as the top-level "names" for the cert. After all,
it serves to point back to the CA, who must vouch for that cert's
Why should they always be the same, just because they are the
same CA, or for next-door neighbors, or whatever else might be
By this scheme, the top-levels of the directory are ALWAYS fixed
and manageable. And what more defensible basis for allowing "who"
gets to be at the top-levels? Simply bytes. They cannot argue,
and no one "owns" them.
The "Cert-Recipient" (Relying Party) needs to have the top-level
name (and more!) in any case, in order to use the directory.
Where are they expected to get this information? They will
certainly not be making blind-guesses (and you don't want them
to try.) Either they have a "name" to apply, or they do not.
Am I missing something critical? (wouldn't be the first time;)
Tony Bartoletti LL
Center for Information Operations and Assurance LL LL
Lawrence Livermore National Laboratory LL LL LL
PO Box 808, L - 303 LL LL LL
Livermore, CA 94551-9900 LL LL LLLLLLLL
phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL
email: azb <at> llnl.gov LLLLLLLL