[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: ietf-pkix@xxxxxxx
Subject: Re: Basic Cert-2-Directory mapping question
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 11 Jan 2001 17:11:21 (NZDT)
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: pgut001@xxxxxxxxxxxxxxxxx

Stephen Kent <kent@xxxxxxx> writes:
>At 9:08 AM +0100 1/10/01, Michael StrM-vder wrote:
>>=> People are used to flat name spaces. X.500 DNs does not work.
>
>Flat name spaces scale poorly, lead to confusion, and are thus not attractive
>in various ways.  People do like flat name spaces, until they trip over the
>limitations they embody, then they complain and look for magic solutions.
>I've seen no appropriate magic for this problem.

Have you actually seen the problem though?  It's automatically assumed that
there's some vast, unassailable problem which hierarchical names will solve,
but I don't think I've ever seen it except as some special-case, often
hypothetical situation which is used to justify the need for DNs (or whatever).
In the real world people have been using their flat, non-scalable name spaces
for several decades without any sign that civilisation is about to collapse.
Only yesterday I was talking to someone whose company is deploying a nationwide
PKI based on HTTP (you tack the ID of the cert owner onto a URL and grab it
from a server, revocation is handled by removing the cert).  Since it's HTTP,
it's guaranteed to work through firewalls, proxies, and other oddities, and is
supported on every platform, I shudder to think what it would take to do the
same thing with CRLs and directories and DNs and whatnot.

In the real world we use flat IDs for practically everything where certs might
at some stage be employed without any problems, for example:

  - Access to University account information (Uni. ID number)
  - Access to/submission of tax info (taxpayer ID, SSN in the US I guess)
  - Email encryption (email address)
  - Access to/update of frequent flyer info (frequent flyer number, living
    where I do you get handed one of these the first time you buy a ticket :-).
  - Bank account access (account number)
  - Access to patient medical records (from the discussion yesterday, this uses
    some doctor registration number which is centrally managed)

There isn't actually anything I do which needs a hierarchical DN or any of the
accompanying paraphernalia and complexity (X.500/LDAP/whatever), in every case
a simple "Get me the cert for <flat, non-hierarchical, just plain works ID>"
will do the job.  What major, urgent real-world problem (apart from "Lack of
revenue from selling X.500 services"), which couldn't be addressed much more
simply with existing mechanisms, are DNs et al actually solving?

[I should add an addendum here that the person I was talking to asked me about
 switching to LDAP, since he'd read about it a bit in the trade press and
 wanted to know what was involved.  I started to run through the standard
 5-minute intro to X.500 and LDAP and he looked at me as if he expected a
 cuckoo to pop out of my forehead on a small spring... I doubt they'll be
 switching over any time soon]

Peter.

Follow-Ups:
- Re: Basic Cert-2-Directory mapping question
  - From: Stephen Kent
- Re: Basic Cert-2-Directory mapping question
  - From: Michael Ströder
- Re: Basic Cert-2-Directory mapping question
  - From: Anders Rundgren

Prev by Date: RE: DPD & DPV requirements - Recursion Issues
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread