Re: Can we form certificates with just name and e-mail address

[Stephen Kent <kent@xxxxxxx>]

Bob,

> Steve,
>
>  >"Since e-mail addresses are
> already globally unique, what does the given name and surname do for
> you, from a tree structure standpoint?"
>
> Well, e-mail addresses are presumably globally unique, but they are 
> not necessarily
> one to one with an identifiable person.  Two or more people may share an
> e-mail mailbox, and very often do.  And one person may have more than one
> mailbox, and many do.
OK. But that does not justify constructing the schema we're debating, 
nor does the schema in question match your examples below.

> Likewise, there may be multiple Steve Kent's, and there might or might not
> be multiple c=US, sP=MA, l=Cambridge, cN="Steve Kent".
Yes, we need to have a DN that distinguishes among multiple Steve 
Kents. In your example above, a postal address would typically be 
employed to identify me as a specific residential person, or a 
binding to my employer would be used for me as an organizational 
person.

> But presumably there would only be one
> {c=US, sP=MA, l=Cambridge, cN="Steve Kent"}+rfc822="kent@bbn.com"
True.  If the intent were to create multiple leaf entries below the 
single entry of this form then  the justification would be better, 
but I don't that's what people have been suggesting.

> Even so, that DN might be globally unambiguous, but not globally unique.
> {c=US, l=Gotham, cN="Clark Kent"}+rfc822="kent@bbn.com"
> may in fact refer to the same individual.
No argument there.  Multiple entries in the DIT may correspond to the 
same physical entity, ad would usually be true for residential and 
organizational persons, for example.

> And both e-mail postal boxes and DNS components can have aliases,
> so {c=US, l=Gotham, cN=Superman}+rfc822="Faster Than A Speeding 
> Bullet"@DailyPlanet.com
> may also refer to the same person.
Sure.

Steve