[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: Polar Humenn <polar@xxxxxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 11 Jan 2001 12:01:48 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

Polar,

I'll jump on the band wagon as Peter, Anders, and a few others. DN's to
me, have never been hierarchical. They are basically converted to strings,
or hashed, and used, searched for, and compared, that way. I really enjoy
the "flat" name space, Simple, and normal people, as well as "simple"
programmers know how to deal with it. It's not really flat, but comes in
two parts. 1. tell me where to find it, 2 and tell me how to find it from
there. HTTP is just one good example illustrated by Peter, SDSI (SPKI?) is
another. (And I for one, like that revocation scheme, much better then
trying to find CRLs and calculate delta CRLs, what a waste of precious
processing time!). The whole X.500 thing, in my mind is so bizzare. It's
so complex, and with OSCP servers, and DPV and such, the whole thing is
going to start looking like Kerberos pretty soon, which has one of these
so called flat namespaces.

You're confused. DNs are hierarchical, by definition. That's not open to debate; it is a function of the fact that they are directory distinguished names, inherited from X.500, as Sharon has pointed out. The fact that some people may have chosen to treat them in other ways does not change the semantics of the name form, as specified by many standards.

Kerberos may be good example of a flat name space, but only within a single realm, i.e., to scale beyond one realm one must use a name with a realm ID. That already makes it a two level, not flat, name space. Only by imposing conventions on Kerberos names, tied to the DNS (which, last time I looked, was hierarchical) does one manage to ensure uniqueness, scaleability, and locatability for KDCs (piggybacking on DNS).

All the criticisms re hierarchic name spaces apply not only to DNs but to DNS names as well, a system that enables us to engage in this debate via e-mail. The limitations of poor use of hierarchic names spaces is also evident in the DNS, mostly in the form of the legacy TLDs: .com, .net, .org, .mil, .gov, .edu. These flatten the space considerably and overload the system, except where we have become xenocentric and restricted use of U.S. entities (e.g., for gov and mil). Whne Jon Postel managed name assignment, people could rely on .org and .net being appropriately assigned, something that is no longer true. The rush for every company and many individuals to be listed under .com. vs. under country codes that then can have a .com subdomain, has diminished the benefits that should result from this structure, and places greater and greater demands on the server infrastructure.

I already explained why hierarchic name spaces are desirable, so I won't repeat the arguments. Despite all the fun that results from this discussion, PKIX is not the right forum in which to have the debate. We're not a directory WG. We support various options for names, thanks to the generalname construct of v3 certs. It's useful to discuss how to solve problems related to cert repository discovery, but since we are not a directory WG, keep in mind the limitations on our ability to influence the results of such discussions.

Steve

References:
- Re: Basic Cert-2-Directory mapping question
  - From: Polar Humenn

Prev by Date: RE: DPD & DPV requirements - Let us Recurse
Next by Date: RE: DPD & DPV requirements - Recursion Issues
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread