Bugzilla – Full Text Bug Listing
|Summary:||Uniqueness of DNs in the Certificate Registry|
|Product:||GridShib||Reporter:||Tom Scavo <firstname.lastname@example.org>|
|Component:||Certificate Registry||Assignee:||Tom Scavo <email@example.com>|
|Severity:||normal||CC:||firstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
|Bug Depends on:|
Suppose GridShib CA #1 registers a certificate with the IdP. Now suppose GridShib CA #2 registers a certificate with the same IdP. If the Subject DNs of the two certificates are equal, the second registration will fail since the Certificate Registry forces uniqueness on DNs. In the above scenario, both DNs should be allowed in the Certificate Registry. This requires the DNs to be qualified. The logical choice of qualifier is the Issuer DN of the certificate. This issue is related to the NameIdentifier/NameQualifier attribute in the query. Today, the value of this attribute is the entityID of the IdP. Instead, it should be the Issuer DN of the end entity certificate.
Historical $.02 on this issue: This is a long-running debate in the Grid PKI community. My own take on the matter is that CAs that are operating correctly should not issues certificates with identical DNs (and in the rare cases they do, only to the same individual) because their name spaces are constrained to reasonable relative DNs. Globus has code to specically restrict what DNs a CA can issue to enforce this. There are a number of people though who argue that a Issue:Name approach is better since it simplifies configuration.
Assume that the Subject DN is globally unique, that is, two distinct CAs will not issue certificates with identical DNs, even to the same principal. Is this a reasonable assumption? Under this assumption, it is not necessary to qualify the DN in a SAML Subject. In fact, the SAML V2.0 spec says The NameQualifier and SPNameQualifier attributes SHOULD be omitted unless the identifier's type definition explicitly defines their use and semantics. In particular, the X509SubjectName identifier does not specify NameQualifier, so the latter SHOULD be omitted in this case.
Let me relax the previous assumption somewhat. Assume that the Subject DN is globally unique in the following sense: if two distinct CAs issue certificates with identical DNs, then the DN refers to the same principal. Even under this revised assumption, it is still not necessary to qualify the DN in a SAML Subject.