[Date Prev][Date Next] [Chronological] [Thread] [Top]


"Kurt D. Zeilenga" wrote:
> The authentication identity can be in any form.

The identity has to be unique?

>  I rather the
> form be as "natural" as possible.  That is, if the authentication
> identity is derived from an X.509 certificate, the identity
> should be "natural" (e.g. X.500) form.

I would not even speak of a X.500 form when using a cert DN since
most CAs issue certs without caring about directory structure at
all. E.g. look at my freemail cert DN issued by Thawte:

/S=Stroeder/G=Michael/CN=Michael Stroeder/Email=michael@stroeder.com

Just use the cert DN as unstructured but unique identifier
regardless of being meant as X.500 name in former days. Note: The
cert DN has only to be unique within the name-space of a CA. Two
different CAs can issue different certs with the same DN.

Ciao, Michael.