...
- CN attribute shall be a combination of the SAML attribute "displayName" and the eduPersonUniqueID
- If eduPersonUniqueID is not released eduPersonPrincipalName shall be used
- if eduPersonPrincipalName is not released eduPersonTargetedID shall be used
- The CA must ensure that the CN is unique within their namespace
...
- The RFC (5280 or 2459 to check) limits the length of the CN field to 64 characters. The string obtained as a combination of displayName+eduPUID may be longer than the limit. The CA must therefore re-hash the eduPUID to use a shorter, but globally unique, version of the user unique identifier.
- The re-hashing makes impossible for the e-infrastructure to map univocally the user's UID provided by the IdP to the certificate DN. This information can be provided by the CA as part of an incident response procedure.
- The CA must publish publicly the re-hashing algorithm, any change to the algorithm should follow a clear procedure to communicate the changes to all stakeholders. In this way the e-infrastructure can calculate the re-hashed user eduPUID used in the certificate and store the information internally, for a quicker incident response procedure.
References
•MJRA1.3: Design for the integration of an Attribute Management Tool
...