Bob Lord wrote:
>
> In older versions of Communicator, there was a step in the certificate
> enrollment process where the user was asked to name his/her newly issued
> certificate. Although this gave the user some flexibility, it mostly
> casued problems. Users would sometimes choose non-descriptive names
> that would cause Help Desk problems down the road. It also added extra
> clicks to the certificate issuance process. More clicks meant higher
> Help Desk costs. And there was no way to rename the cert, so whatever
> you chose stuck with you forever.
>
> We eliminated that ability for most cert enrollments (around C4.6 or
> so?), and instead chose the nickname for the user (e.g. "Robert Lord's
> Verisign ID").
Sounds like this could cause a problem if the "nickname" generated for the
newly loaded cert is the same as the nickname for another cert with a
different subject name.
There's supposed to be a 1:1 mapping between nickname and cert subject name.
If multiple certs have the same subject name, they should all have the same
nickname, but two certs with different subject names should have different
nicknames. So, if two certs have subject names that differ in, say, only
the Organizational Unit attribute, but have the same subject common name
and issuer name, and they got the same nickname, that would be a problem.
Also, there's one other minor consideration. Since Communicator/PSM cert
and key DBs are format-compatible with Netscape & Iplanet server cert and
key DBs, in the past, some users have used Communicator as an alternative
way to get certs issued for their servers. They could do that because
Communicator (formerly) let them specify the same "nickname" as the server
used to fetch the server cert. Now, they can no longer use the newest
releases of Communicator and PSM as alternatives to "Admin server" and
"Console" for acquiring server certs, because they cannot set the cert's
nickname as necessary for the servers.
I understand this is probably not a primary design goal for PSM's UI ;-)
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
