1 / 8

Subject Unique Identifier or Equivalent

Subject Unique Identifier or Equivalent. William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston. Subject Distinguish Name.

anance
Download Presentation

Subject Unique Identifier or Equivalent

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Subject Unique Identifieror Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston

  2. Subject Distinguish Name OID.1.2.840.113549.1.9.1=william.a.weems@uth.tmc.edu, CN=William A. Weems, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Health Science Center at Houston CA, O=The University of Texas System 3

  3. X509 Structure • Certificate • Version • Serial Number • Algorithm ID • Issuer • Validity • Not Before • Not After • Subject • Subject Public Key Info • Public Key Algorithm • Subject Public Key • Issuer Unique Identifier (Optional) • Subject Unique Identifier (Optional) • Extensions (Optional) • ... • Certificate Signature Algorithm • Certificate Signature 4

  4. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 4.1.2.8. Unique Identifiers These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1). These fields MUST NOT appear if the version is 1. The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time. This profile RECOMMENDS that names not be reused for different entities and that Internet certificates not make use of unique identifiers. CAs conforming to this profile MUST NOT generate certificates with unique identifiers. Applications conforming to this profile SHOULD be capable of parsing certificates that include unique identifiers, but there are no processing requirements associated with the unique identifiers. RFC 5280 5

  5. Applications (commerce or anything else) will use the subject identity to make authorization decisions. Since names cannot be reused, new names will become more and more unnatural and hard to comprehend and memorize, and different people will have different ways in addressing the uniqueness. I believe it is natural and should be encouraged, if not required, to always associate the subject name with a unique identifier. Without this requirement, privacy and protection of subject's internet resources, financial assets, etc, can be all at risk. Shyh-Wei Luan, 23 May 1997 6

  6. You can always achieve the effect of a unique identifier by adding an attribute value assertion into the distinguished name for that purpose. For example, if Common Name is not assigned so as to be inherently unique, you can add another attribute that carries Employee Number or Customer Number, which is arranged to be unique. Warwick Ford, VeriSign, Inc.Fri, 23 May 1997 7

  7. What to Do? 8

More Related