Re: Proposal: DN="CN=WebID,O=∅" was: certificate-authorities in CertificateRequest from Kingsley Idehen on 2012-10-25 (public-xg-webid@w3.org from October 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 25 Oct 2012 07:08:40 -0400
To: public-xg-webid@w3.org
Message-ID: <50891DB8.6000906@openlinksw.com>

On 10/25/12 4:31 AM, Andrei Sambra wrote:
> Hi all,
>
> I believe that using "W3.org" (in any field) would be misleading, as 
> it creates confusion about the certificate having "somthing to do" 
> with W3C.
>
> On the matter of using CN=WebID, O=∅, I think that some organization 
> would like to make use of O=, as well as of CN. We should find a 
> solution that is non-blocking for future users/uses. Let's take a look 
> at the LDIF fields:
>
> CN: common name
>
> It refers to the individual agent (person's name, device name, etc.) 
> for whom/which the cert has been created. Some CAs cannot reuse the 
> same CN, so it must change for each cert that is issued. When 
> performing WebID authentication, this field is displayed in the list 
> of certificates. It should not contain information that is not 
> pertinent to user when having to make a choice between multiple certs.
>
> DN: distinguished name.
>
> As the name goes, it refers to the name that uniquely identifies an 
> entry.
>
> O and OU: organization and organizational unit
>
> They are the organization and organizational unit (or sometimes the 
> user group) that the user is part of. One user can have one O, and 
> multiple OU (different groups/departments).
>
> DC: domain component
>
> This refers to each component of the domain. For example 
> www.google.com would be written as DC=www,DC=google,DC=com.
>
> I suspect that DC is used in the process of certificate validation. 
> Since in WebID trust is established by dereferencing the 
> subjectAlternativeName value (and not by certificate validation), the 
> DC field would not really serve its initial purpose.
>
> Therefore, I propose that we re-purpose this field (DC) to contain 
> "WebID".
>
> As a side note, this is what I usually see when I login using WebID:
>
> Andrei Vlad Sambra
> -------
> Issued to: CN = Andrei Vlad Sambra
>
> Serial Number: 00:FF:D5:DE:C6:E3:E0:DE:37
> Valid from 4/16/12 3:19:19 PM to 4/14/22 3:19:19 PM
> Issued by: CN = MyProfile
> OU = MyProfile
> O = MyProfile
> ST = Essonne
> C = FR
> -------
>
> I strongly believe that CN/O/OU/DN should not contain any information 
> other than what they are supposed to contain.
>
> I think we can discuss more about this during TPAC.
>
> Best,
> Andrei 

+1

Much looser and less of an overt hack.

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 25 October 2012 11:09:04 UTC