Re: Basic Cert-2-Directory mapping question

[Stephen Kent <kent@xxxxxxx>]

Anders,

> Peter,
>
>  > >Flat name spaces scale poorly, lead to confusion, and are thus 
> not attractive
>  > >in various ways.  People do like flat name spaces, until they 
> trip over the
>  > >limitations they embody, then they complain and look for magic solutions.
>  > >I've seen no appropriate magic for this problem.
>  >
>  > Have you actually seen the problem though?  It's automatically assumed that
>  > there's some vast, unassailable problem which hierarchical names 
> will solve,
>  > but I don't think I've ever seen it except as some special-case, often
>  > hypothetical situation which is used to justify the need for DNs 
> (or whatever).
>  > In the real world people have been using their flat, non-scalable 
> name spaces
>  > for several decades without any sign that civilisation is about 
> to collapse.
>
> I second that 100%.  The only thing you gain by hierarchical cert 
> names is rigidness
> (i.e. can only be used in a certain regime) and low trace ability 
> (change position
> and then you become another identity).  So even for closed PKI's we do have
> a serious mapping issue IMNSHO.

Hierarchic name spaces are desirable for many reasons irrespective of 
the narrow focus of this discussion. (Note that DNS is an example of 
such a name space.)  They are attractive because they allow easy 
distribution of name creation without fear of collision, and if one 
aligns repositories with the name space, distribution of the database 
is also facilitated. X.500 has not been widely successful, in part 
because there is no authority to impose name space constraints, 
mediate disputes, etc. DNS is successful because we have such 
authorities and because folks are motivated to operate their parts of 
the tree reliably, else Internet access is dramatically affected. So, 
don't confuse X.500 problems with hierarchic name space problems.

Steve