[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can we form certificates with just name and e-mail address

To: <kent@xxxxxxx>
Subject: Re: Can we form certificates with just name and e-mail address
From: "Bob Jueneman" <bjueneman@xxxxxxxxxx>
Date: Thu, 22 Jun 2000 17:11:18 -0600
Cc: <ietf-pkix@xxxxxxx>

Steve/Clark :-),

>>But presumably there would only be one
>{c=US, sP=MA, l=Cambridge, cN="Steve Kent"}+rfc822="kent@bbn.com"

>True.  If the intent were to create multiple leaf entries below the 
single entry of this form then  the justification would be better, 
but I don't that's what people have been suggesting.

It's not that I particularly like compound attributes, but that's what
I was suggesting, rather than having the rfc822 be a leaf under the user name
DN.  That's what I mean to imply by the plus sign -- exactly like most
people have been suggesting for name+serial.  At least the rfc822 name
component has a great semantic content than a serial number.

On the other hand, I guess we could always revert to the imfamous MPEG 
of me and my cat. But instead of putting it in the DN, I guess we would have 
to make it a directory attribute now.  (Just joking, of course.)

Bob

>>> Stephen Kent <kent@bbn.com> 06/22/00 04:28PM >>>
Bob,

>Steve,
>
>  >"Since e-mail addresses are
>already globally unique, what does the given name and surname do for
>you, from a tree structure standpoint?"
>
>Well, e-mail addresses are presumably globally unique, but they are 
>not necessarily
>one to one with an identifiable person.  Two or more people may share an
>e-mail mailbox, and very often do.  And one person may have more than one
>mailbox, and many do.

OK. But that does not justify constructing the schema we're debating, 
nor does the schema in question match your examples below.

>
>Likewise, there may be multiple Steve Kent's, and there might or might not
>be multiple c=US, sP=MA, l=Cambridge, cN="Steve Kent".

Yes, we need to have a DN that distinguishes among multiple Steve 
Kents. In your example above, a postal address would typically be 
employed to identify me as a specific residential person, or a 
binding to my employer would be used for me as an organizational 
person.

>But presumably there would only be one
>{c=US, sP=MA, l=Cambridge, cN="Steve Kent"}+rfc822="kent@bbn.com"

True.  If the intent were to create multiple leaf entries below the 
single entry of this form then  the justification would be better, 
but I don't that's what people have been suggesting.

>Even so, that DN might be globally unambiguous, but not globally unique.
>{c=US, l=Gotham, cN="Clark Kent"}+rfc822="kent@bbn.com"
>may in fact refer to the same individual.

No argument there.  Multiple entries in the DIT may correspond to the 
same physical entity, ad would usually be true for residential and 
organizational persons, for example.

>And both e-mail postal boxes and DNS components can have aliases,
>so {c=US, l=Gotham, cN=Superman}+rfc822="Faster Than A Speeding 
>Bullet"@DailyPlanet.com
>may also refer to the same person.

Sure.

Steve

Prev by Date: Re: certification for pki
Next by Date: Re: Do people have something against RSA?
Previous by thread: Re: Can we form certificates with just name and e-mail address
Next by thread: Re: Can we form certificates with just name and e-mail address
Index(es):
- Date
- Thread