<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 20, 2017, at 2:15 PM, Geoff Keating via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div class="">For example, you can find decades-old discussion in the IETF making the same arguments you're making here, and similar disagreement about the conclusions you're reaching (e.x. <a href="https://www.ietf.org/mail-archive/web/pkix/current/msg23992.html" class="">https://www.ietf.org/mail-archive/web/pkix/current/msg23992.html</a><span class="Apple-converted-space"> </span>)</div></div></div></blockquote><div class=""><br class=""></div><div class="">I don’t think there was, ultimately, disagreement. That discussion appears to terminate with this message:</div><div class=""><br class=""></div><div class=""><a href="https://www.ietf.org/mail-archive/web/pkix/current/msg23960.html" class="">https://www.ietf.org/mail-archive/web/pkix/current/msg23960.html</a></div><div class=""><br class=""></div><div class="">and the outcome was the creation of the uniqueIdentifier attribute (described in X.520 immediately before the section which describes dnQualifier). So now there are clearly two fields, one of which is used to distinguish between the same DN in a DSA and the other distinguishes between different DSAs. The uniqueIdentifier description even says</div><div class=""><br class=""></div><div class=""></div><blockquote type="cite" class=""><div class="">It may be, for example, an encoded object identifier, certificate, date, timestamp, or some other form of certification on the validity of the distinguished name.</div></blockquote><div class=""><br class=""></div><div class="">which sounds like the perfect field to store a hash of the subjectAltName, or a UUID. (The field is a bit string, which means you don’t have to base64 encode anything.)</div><div class=""><br class=""></div><div class="">So, did we consider uniqueIdentifier? If so, what were the problems?</div><div class=""><br class=""></div><div class="">While I’m asking questions, if there were problems related to it being a bitstring, did we consider serialNumber? If so, what were the problems?</div><div class=""><br class=""></div><div class="">I’m sorry to be asking so many questions, but I can’t find any record in the forum archives on this topic, and the author of the ballot didn’t include a rationale.</div></div></div></div></blockquote><br class=""></div><div>Sorry for the lack of rationale in the ballot. Ben was super helpful and drafted the ballot itself after a couple of rounds of discussion because I ran out of time. So I take the blame for not including the prior discussion in the ballot.</div><div><br class=""></div><div>The reason for choosing the dnQualifier attribute is that 5280 has a list of attribute types which are mandatory to support and dnQualifier is in that list. I also looked at all the certs in CT logs and found no conflicting use of dnQualifier. The core definition of dnQualifier in X.520 aligns with the intent here: "The <i class="">DN Qualifier </i>attribute type specifies disambiguating information to add to the relative distinguished name of an entry. “ The usage in this ballot is to provide disambiguating information when the subject would otherwise be the same (notably be empty).</div><div><br class=""></div><div>We could move to serialNumber or assign new object identifier which can be used for this purpose, but is would have no more meaning than dnQualifier for all known implementations. I did not find any place where dnQualifier had any semantics in applications when I looked.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>