[x500standard] SV: [pkix] Unclear public-key certificate definition in X.509

  • From: "Erik Andersen" <era@xxxxxxx>
  • To: "'Kyle Hamilton'" <aerowolf@xxxxxxxxx>, "'Tom Gindin'" <tgindin@xxxxxxxxxx>
  • Date: Thu, 1 Dec 2011 15:55:44 +0100

Hi Kyle,

This is an important discussion.

I am completely aware that X.509 has a life outside directory, although
directories, especially LDAP systems, are often used for holding the
different PKI components. In my effort to modernize X.509, I am trying to
remove references to directory where it is not necessary. The main directory
content is the schema information (attribute types, object classes and
matching rules) for holding and accessing PKI/PMI components.

As to distinguished name, it seems too late to change that. It is part of
many profiles and also of RFC 5280.

I do not believe that it would be wise to separate the content of X.509 into
two different documents. X.509 is well established and well known. Putting
the non-directory stuff into a separate document will cause confusion and
many references will have to changed.

(ASN.1 was never part of X.500, but of X.400 (1984), and it was separated
quite early.)

Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik

-----Oprindelig meddelelse-----
Fra: Kyle Hamilton [mailto:aerowolf@xxxxxxxxx] 
Sendt: 1. december 2011 03:43
Til: Tom Gindin
Cc: Erik Andersen; PKIX
Emne: Re: [pkix] Unclear public-key certificate definition in X.509



On Fri, Nov 12, 2010 at 4:38 PM, Tom Gindin <tgindin@xxxxxxxxxx> wrote:
>        It no longer has the problem which it had before.  Of course, it's
> a little odd to describe a certificate as a function of specifically the
> DN of the issuer, since the critical functional dependency is on the
> issuer's key pair.

The original X.509 use-case was that the Directory was everything, that
everything could be Distinguishably Named, and that the Distinguished Name
was the correct indexing system.  The problem is that the original designers
hadn't had the experience of a decade of nearly universal worldwide
deployment, with the format being extended into realms it was never intended
to go.

Perhaps X.509 could be formally decoupled from X.500, or (much like ASN.1)
the data format and semantics could be moved to a different standard while
the DIT bindings remain in X.509.

> The CA(A) expression just confuses me, because it suggests that the CA is
> a function of the subject name.

Unfortunately, the original designers appear to have not thought about what
would happen if you had a DN collision with multiple certificates and keys.

The key to the lock is unique, which means that it also meets the
requirement to be a database key.  The key is the key; the binding and all
the rest is just metadata.

-Kyle H

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

Other related posts: