Re: Basic Cert-2-Directory mapping question

["Bob Jueneman" <bjueneman@xxxxxxxxxx>]

Peter, it's obvious that your talents are being wasted.  You could easily
be the Michael Crichton of the PKI industry, and go on to fame and fortune.

I can see it now -- first a book, which lays out in layman's terms what ASN.1 is
really all about, then a mild little spin -- nothing too far fetched or provably wrong --
and then the story line commences.  Suddenly, certificates are stretching
endlessly throughout all time, the inevitable consequence of "nonrepudiation"
being stretched, not too implausibly, both forwards and backwards.

Then the movie begins, with a subterranean bass that requires Dolby 5.1 and 
at least 40,000 watts of powered subwoofer to do it justice.  Without warning
(well, maybe a bit of Carnival of the Animals leitmotiv), an innocent MPEG movie 
of a cat playing with its master, embedded in an antique certificate DN like a 
mosquito in a bit of amber, is morphed back through time to the ancestral 
saber-tooth tiger, devouring its prey in the carbonaceous (as opposed to 
siliconaceous) Internet jungle, complete with T3 vines and monolithic (one rock) 
servers.

Man, that ASN.1 is really, really powerful stuff!  Who needs XML?!

Bob

>>> Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> 01/09/01 08:35PM >>>
Stephen Kent <kent@xxxxxxx> writes:
 
>I think your analysis shows that we have a lot of folks playing CA who are 
>not "qualified" to do so.  
 
            (Wibbly-wobbly effect, fade to shot of John Cleese being turned on 
             a spit by some nuns)
JOHN CLEESE:     And now for something completely different...
            (Fairly empty generic modern room.  End entity being rushed into 
             the room on a dolly.  PKI architects are flipping through 
             standards documents)
PKI ARCHITECT 1: commonName qualified with a serialNumber in the same RDN!
PKI ARCHITECT 2: firstName + surname + generationQualifier (if required) + 
                 dnQualifier!
            (Sysadmin enters and interrupts them)
SYSADMIN:        The end entity is ready.
PKI ARCHITECT 1: Good, take her into the PKI frightening room.
SYSADMIN:        Right.
PKI ARCHITECT 2: I say, it's a bit barren in here isn't it?
PKI ARCHITECT 1: Yes, more junk please sysadmin.  The smart cards, the 
                 Safekeyper, and the biometrics.
SYSADMIN:        Yes, most certainly.
PKI ARCHITECT 1: And get the machine that issues certificates!
            (Sysadmin wheels in a cart containing a PC which has "Intel 
             Inside" and "Designed for Microsoft Windows" stickers on it)
END ENTITY:      What's that for?
PKI ARCHITECT 1: That's the machine that issues certificates
            (Machine goes PING and pops up a "Save certificate as..." dialog)
PKI ARCHITECT 1: You see, that means the end entity has been certified!
PKI ARCHITECT 2: And that is the most expensive machine in the whole building!
PKI ARCHITECT 1: Yes, it cost over three quarters of a million pounds.
PKI ARCHITECT 2: Aren't you lucky?!
SYSADMIN:        The CEO is here doctor.
PKI ARCHITECT 1: Switch everything on!
            (Bleep... whirrr... bing... rumble rumble)
CEO:             Ah very impressive, very impressive, and what are you doing 
                 this morning?
PKI ARCHITECT 2: It is a certification.
CEO:             Ahhh,.. and what sort of thing is that?
PKI ARCHITECT 2: Well, that's where we certify uncontestably and undeniably 
                 that someone we've never met before who lives on the other 
                 side of the planet and who we know only as a (possibly 
                 forged) email address really is who they claim to be and can 
                 be trusted to write good cheques, buy alcohol, sign 
                 contracts, and run a dot-com selling PKI services.
CEO:             Wonderful what you can do nowadays. (PING)  Ahh, I see that 
                 you have the machine that issues certificates.  This is my 
                 favorite.  You see we leased it back from the company we sold 
                 it to and that way it comes out of the monthly current budget 
                 and not the capital account.
            (Applause)
                 Thank you, thank you, we try to do our best, well do carry 
                 on.  
            (CEO leaves)
PKI ARCHITECT 1: Lovely, lovely, jolly good, that's better, much much better.
PKI ARCHITECT 2: Yes, that's more like it.
PKI ARCHITECT 1: Uhh... still something missing though.
PKI ARCHITECT 1+2:END ENTITY!
PKI ARCHITECT 2: Yes, where's the end entity?
PKI ARCHITECT 1: Anyone seen the end entity?
SYSADMIN:        Ahhh... here she is!
PKI ARCHITECT 1: Bring her over here.
PKI ARCHITECT 2: Mind the machine.
PKI ARCHITECT 1: Hello, now don't you worry.
PKI ARCHITECT 2: We'll soon have you certified!
PKI ARCHITECT 1: Leave it all to us, you'll never know what hit you.
END ENTITY:      Will it be a nonRepudiation certificate?
PKI ARCHITECT 1: Now I think it's a little early to start imposing roles on it,
                 don't you?  Now a word of advice, you may find that you 
                 suffer for some time a totally irrational feeling of 
                 depression, PKID as we call it.  So, it's lots of happy pills 
                 for you and you can find out all about the certification when 
                 you get home.  It's available on Betamax, VHS, and Super-8.
            (Reporters and photographers enter the PKI frightening room)
PKI ARCHITECT 1: Who are you?
NOTARY PUBLIC:   I am the end entity's notary public.
PKI ARCHITECT 1: I am sorry, only people involved are allowed in here.
END ENTITY:      What do I do?
PKI ARCHITECT 2: Yes?
END ENTITY:      What do I Do?
PKI ARCHITECT 2: Nothing dear, you're not "qualified"!
            (Machine that issues certificates blue screens, camera zooms in to 
             reveal text that says "And now for something completely 
             different...")

Peter :-).