[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Basic Cert-2-Directory mapping question

To: "Slone, Skip" <skip.slone@xxxxxxxx>
Subject: RE: Basic Cert-2-Directory mapping question
From: "Oscar Jacobsson" <oscar.jacobsson@xxxxxxxxxxx>
Date: Thu, 11 Jan 2001 23:16:05 +0100
Cc: "'Sharon Boeyen'" <sharon.boeyen@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>

> From: Slone, Skip [mailto:skip.slone@xxxxxxxx]
> In response to this, I'm inclined to join Sharon on Marshall's soapbox and
> echo her words:
>
> "... I believe a more constructive approach is to accept the fact that
> different parts of the world and different environments will use a variety
> of nameforms ... We are not the global naming police either and should not
> try to impose the rules that anyone uses to name entities to which they
> issue certificates."

I'm sorry if I came across as clamouring for rules be imposed. I know that this working group has a tendency to be wary of suggestions that don't cater for distinguished names containing cat MPEGs, so I should probably have been more careful. The requirements I suggested were for a possible naming standards document, conformance to which need not be enforced.

The case at hand is not, IMHO, one of dictating that "all distinguished names must be according to our will, or you shall feel our wrath". A document however, outlining a naming strategy that would require of the users of certificates named accordingly no a-priori knowledge of their issuer (save for eventually having to reach something explicitly trusted in the chain) in order to perform path validation, is something I would personally consider very valuable indeed. I'm reasonably confident that organizations intending to act as certification authorities or trusted third parties would agree.

> And to quote someone Sharon and I both know, "If all you have is a hammer,
> every problem looks like a nail."

It seems I was less than clear here as well. :-(

My intention was to point out that there are actually two separate problems here (one nail, if you will, and one screw) each looking for its own solution:

1. Defining a repository, and subsequently entry, discovery process for arbitrarily named entries.

2. Defining a naming scheme that _if applied_ would automate this repository and entry discovery process.

I am only trying to address the second of these problems. The first is only an issue because nobody seems to have properly addressed the second before deploying certificates on the Internet en masse. The further we wait before addressing number two, the more of a problem number one will become.

I should probably make a habit of pointing out that the opinions stated here are my very own, and not necessarily those of my employer.

Cheers,

//oscar

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Slone, Skip

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: RE: DPD & DPV requirements - Let us Recurse
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread