Internet X.509 Public Key Infrastructure Permanent Identifier
draft-ietf-pkix-pi-11

Received changes through RFC Editor sync (changed abstract to 'This document defines a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity.

The permanent identifier is an optional feature that may be used by a CA to indicate that two or more certificates relate to the same entity, even if they contain different subject name (DNs) or different names in the subjectAltName extension, or if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed.

The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. However, the new name form can carry a name that is unique for each subject entity certified by a CA. [STANDARDS-TRACK]')

[Note]: 'The draft includes significant revisions.  On the agenda to see if the revisions resolve the discuss positions.  Also, given the significant changes, all of the ADs may want to take a fresh look.' added by Amy Vezza

[Note]: 'The draft includes significant revisions.  On the agenda to see if the revisions resolve the discuss positions.  Also, given the significant changes, all of the ADs may want to take a fresh look.' added by Harald Alvestrand

[Note]: 'The draft includes significant revisions.  On the agenda to see if the revisions resolve the discuss positions.  Also, given the significant changes, all of the ADs may want to take a fresh look.' added by Russ Housley

The Draft has added Appendix C, "Permanent URIs for organizations" to handle some of the issues related to
my original DISCUSS, but this text is still substantially
wrong.  The first section, for example, conflates URIs
and domain names used to construct them.  Section c.1
looks at the mechanisms which have been used
to try to make access based URIs permanent (a la
the W3C's "Cool URIs don't change" BCP-equivalent),
but it still doesn't limit what kind of URIs might be
used, doesn't discuss whether a URN-style  URI could
be used (and URN are the only ones currently described
as having an expectation of permanence).

The references don't contain any informative or
normative references to the RFCs related to the construction,
syntax, or use of URIs.  This may be part of the problem.


C. Permanent URIs for organizations

URIs are delivered in conformance with ICANN rules, i.e. "Uniform
Domain Name Dispute Resolution Policy". http://www.icann.org/udrp/

Currently, once a URI has been assigned to an organization, the URI
will continue to be assigned to that organization as long as it pays
for it. However, in case there is no more payment, the domain name
which controls that URI can be re-assigned to another organization
asking for it.

This means that URI's are not assigned permanently.

C.1. How can URI's be made pseudo-permanent?

There are two main approaches that may be used singly or in combination:

    - continue to pay the renewal fee forever, or
    - choose a URI structure that is very unlikely going to be re-used,

It is clear that an update to the Internet-Draft is needed to resolve the DISCUSS votes.  Recent traffic on the PKIX WG mail list indicate that there is not an obvious consensus on the correct solutions to the issues that have been raised.  Therefore, I am returning the document to the working group.

Nit:
In section 1, "especially women as a result of marriage" - the word "women" should be deleted - says Harald, who changed his name as a result of marriage.