Re: Basic Cert-2-Directory mapping question

[Michael Ströder <michael@xxxxxxxxxxxx>]

Peter Gutmann wrote:
> 
> Stephen Kent <kent@xxxxxxx> writes:
> 
> >I have not read your paper, but the assertion that DNs don't work, without
> >substantiation, seems a bit strong. 
>
> [.. Very many valid points by Peter deleted..]

Peter, I completely agree with you. IMHO one of the main problems
with
PKIX is that there's so much X.500 in it. ;-) (I enjoyed your
writing about T.61...)

> The sole meaningful piece of information in any of my certs is my email
> address

Agreed again. And IMHO the e-mail address combined with fast
searching (the real
advantage of directory servers) is the only working solution for a
person's entry today.

> That's the point I made in the analysis in my
> paper, noone (well, almost noone :-) actually uses a DN in the way X.500 says
> it's supposed to be used.

And if you try it's sometimes even hard to find the "right" value
for the CN person's attribute of a person's entry. BTW: Ed Gerck
wrote a nice paper about these naming problems too (available around
'98 if I remember correctly).

> >finally, the IETF has had a standard means of encoding a DNS name as a DN for
> >several years, which suggests that there is at least one scheme that would
> >work.
>
> (I have a vague
> memory of actually having seen a solitary DC in a cert somewhere, but a quick
> check of my collection has failed to locate one...

;-)

> does anyone know of examples of these being used?

Yes.

>  How does the average third-party app handle
> them?).

OpenSSL can handle them. Netscape Messenger seems to be able to use
them. web2ldap displays them...

Ciao, Michael.