[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Thu, 11 Jan 2001 11:33:22 +0100
Organization: stroeder.com
References: <> <> <> <>
Sender: michael@xxxxxxxxxx

Stephen Kent wrote:
> 
> At 9:08 AM +0100 1/10/01, Michael Ströder wrote:
> >
> ><snip>
> >
> >=> People are used to flat name spaces. X.500 DNs does not work.
> 
> Flat name spaces scale poorly, lead to confusion, and are thus not
> attractive in various ways.  People do like flat name spaces, until
> they trip over the limitations they embody, then they complain and
> look for magic solutions.

Now for the X.500/LDAP variant of a "magic solution":

1. An organization tries to find a solution for the flat name space
problem but the managment is clueless.

2. They hire an IT consultant.

3. X.500 is chosen as THE solution (mainly because the X.500 books
the IT consultant read sounded so promising).

4. After discussing weeks or months which DIT rules to use a
hierarchy is defined and written down in a concept paper.

5. The DIT rules are presented but the company's CEO makes some
"strategic" decisions about naming. Mainly he does not like the DN
for his entry because it's too long. He chooses
cn=ceo,dc=famousecommerce,dc=com for his entry and
cn=secretary,dc=famousecommerce,dc=com for his secretary's entry.

6. Again discussing DIT rules according to the new "requirements"
and working out a migration plan. The IT consultant has done his
job...

7. Finally the new X.500 or LDAP server is up and running.
Testing...

8. The directory admin switches off global searches and browsing
mainly for avoiding performance problems.

9. None of the Joe Average user is able to use the new service and
people are still happy with their local address book in their
favourite e-mail app.

10. After a couple of months somebody starts his own flat-named
service and opens it to other users. People are amazed by this "new"
centralized data repository which is easy-to-use...

11. The new service grows to the same scalability problem again.

12. Goto 1.

Don't get me wrong. I am using LDAP servers and I think a directory
service can be very convenient within an organization especially for
retrieving e-mail certificates!

But some of the promises made by directory people were not fulfilled
during the last 10+ years. Still these promises are repeated over
and over again.

> I've seen no appropriate magic for this problem.

Neither have I.

Ciao, Michael.

Follow-Ups:
- Re: Basic Cert-2-Directory mapping question
  - From: Stefan Kelm

References:
- Re: Basic Cert-2-Directory mapping question
  - From: Peter Gutmann
- Re: Basic Cert-2-Directory mapping question
  - From: Stephen Kent
- Re: Basic Cert-2-Directory mapping question
  - From: Michael Ströder
- Re: Basic Cert-2-Directory mapping question
  - From: Stephen Kent

Prev by Date: Re: Basic Cert-2-Directory mapping question
Next by Date: Re: WG Last Call, PKI Repository Locator
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread