Bug 4578

Summary: Uniqueness of DNs in the Certificate Registry
Product: GridShib Reporter: Tom Scavo <trscavo@gmail.com>
Component: Certificate RegistryAssignee: Tom Scavo <trscavo@gmail.com>
Status: NEW    
Severity: normal CC: gridshib-dev@globus.org, tfreeman@mcs.anl.gov, vwelch@uiuc.edu
Priority: P3    
Version: unspecified   
Target Milestone: beta   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 4957    

Description From 2006-07-10 16:20:09 
Suppose GridShib CA #1 registers a certificate with the IdP.  Now suppose
GridShib CA #2 registers a certificate with the same IdP.  If the Subject DNs
of the two certificates are equal, the second registration will fail since the
Certificate Registry forces uniqueness on DNs.

In the above scenario, both DNs should be allowed in the Certificate Registry. 
This requires the DNs to be qualified.  The logical choice of qualifier is the
Issuer DN of the certificate.

This issue is related to the NameIdentifier/NameQualifier attribute in the
query. Today, the value of this attribute is the entityID of the IdP.  Instead,
it should be the Issuer DN of the end entity certificate.
------- Comment #1 From 2006-07-10 16:44:14 ------- 
Historical $.02 on this issue: This is a long-running debate in the Grid PKI
community. My own take on the matter is that CAs that are operating correctly
should not issues certificates with identical DNs (and in the rare cases they
do, only to the same individual) because their name spaces are constrained to
reasonable relative DNs. Globus has code to specically restrict what DNs a CA
can issue to enforce this. There are a number of people though who argue that a
Issue:Name approach is better since it simplifies configuration.
------- Comment #2 From 2006-08-23 13:25:15 ------- 
Assume that the Subject DN is globally unique, that is, two distinct CAs will
not issue certificates with identical DNs, even to the same principal.  Is this
a reasonable assumption?

Under this assumption, it is not necessary to qualify the DN in a SAML Subject.
 In fact, the SAML V2.0 spec says

The NameQualifier and SPNameQualifier attributes SHOULD be omitted unless the
identifier's type definition explicitly defines their use and semantics.

In particular, the X509SubjectName identifier does not specify NameQualifier,
so the latter SHOULD be omitted in this case.
------- Comment #3 From 2006-08-23 13:43:04 ------- 
Let me relax the previous assumption somewhat.  Assume that the Subject DN is
globally unique in the following sense: if two distinct CAs issue certificates
with identical DNs, then the DN refers to the same principal.  Even under this
revised assumption, it is still not necessary to qualify the DN in a SAML
Subject.