Re: Basic Cert-2-Directory mapping question

[Michael Ströder <michael@xxxxxxxxxxxx>]

Stephen Kent wrote:
> 
> I have not read your paper, but the assertion that DNs don't work,
> without substantiation, seems a bit strong.  Certainly when people
> create arbitrary DNs, without regard to the semantics of directory
> structure, bad things happen.

Please review some discussion threads on LDAP-related lists about
directory tree design........................never-ending story.

Suggestions are ranging from traditional X.521 naming to flat-tree
name space under a dc=domain,dc=domain root.

> Also, it is fair to say that the grand,
> nations as top level directory operators model that X.500 envisioned
> has not happened,

Even if it would have happened X.521 tree naming would simply suck.
Think of multi-national companies which are not eager revealing
their directory structure to the public. Not to speak of the
different country-dependent rules for the registration process...

> finally, the IETF has had a standard means of encoding a DNS name as
> a DN for several years, which suggests that there is at least one
> scheme that would work.

I agree that DNS-based naming (often called dc naming in the LDAP
world) is a way of at least find a division for global and
organizational name space. System admins are used to it and they
have to sub-divide their organizations into DNS sub domains anyway
(which is a pretty hard job though).

But who of you on the list has a mail address name@xxxxxxxxxxxxxx or
even name@xxxxxxxxxxxxxxxxxxxx? Will you agree with your admin if
you're assigned such an e-mail address? No, you will ask him for a
shorter one. Or you will go to a cheap free mail service to get a
shorter one. Or register your name as domain (me too ;-).

=> People are used to flat name spaces. X.500 DNs does not work.

Ciao, Michael.