[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: Anders Rundgren <anders.rundgren@xxxxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: Polar Humenn <polar@xxxxxxxxxx>
Date: Thu, 11 Jan 2001 09:00:14 -0500 (EST)
Cc: pgut001@xxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
In-reply-to: <>

On Thu, 11 Jan 2001, Anders Rundgren wrote:

> Peter,
> 
> > >Flat name spaces scale poorly, lead to confusion, and are thus not attractive
> > >in various ways.  People do like flat name spaces, until they trip over the
> > >limitations they embody, then they complain and look for magic solutions.
> > >I've seen no appropriate magic for this problem.
> >  
> > Have you actually seen the problem though?  It's automatically assumed that
> > there's some vast, unassailable problem which hierarchical names will solve,
> > but I don't think I've ever seen it except as some special-case, often
> > hypothetical situation which is used to justify the need for DNs (or whatever).
> > In the real world people have been using their flat, non-scalable name spaces
> > for several decades without any sign that civilisation is about to collapse.
> 
> I second that 100%.  The only thing you gain by hierarchical cert names is rigidness
> (i.e. can only be used in a certain regime) and low trace ability (change position
> and then you become another identity).  So even for closed PKI's we do have
> a serious mapping issue IMNSHO.

I'll jump on the band wagon as Peter, Anders, and a few others. DN's to
me, have never been hierarchical. They are basically converted to strings,
or hashed, and used, searched for, and compared, that way. I really enjoy
the "flat" name space, Simple, and normal people, as well as "simple"
programmers know how to deal with it. It's not really flat, but comes in
two parts. 1. tell me where to find it, 2 and tell me how to find it from
there. HTTP is just one good example illustrated by Peter, SDSI (SPKI?) is
another. (And I for one, like that revocation scheme, much better then
trying to find CRLs and calculate delta CRLs, what a waste of precious
processing time!). The whole X.500 thing, in my mind is so bizzare. It's
so complex, and with OSCP servers, and DPV and such, the whole thing is
going to start looking like Kerberos pretty soon, which has one of these
so called flat namespaces.

Cheers,
-Polar

-------------------------------------------------------------------
Polar Humenn                  Adiron, LLC
mailto:polar@xxxxxxxxxx       2-212 CST      
Phone: 315-443-3171           Syracuse, NY 13244-4100
Fax:   315-443-4745           http://www.adiron.com

Follow-Ups:
- Re: Basic Cert-2-Directory mapping question
  - From: Stephen Kent

References:
- Re: Basic Cert-2-Directory mapping question
  - From: Anders Rundgren

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread