Re: Basic Cert-2-Directory mapping question

[Michael Ströder <michael@xxxxxxxxxxxx>]

Bob Jueneman wrote:
> 
> Civil attribute type names will always be with us, and hence must be
> dealt with, for at least two fundamental reasons:
> 
> 1.  An address is not a name, although it may be a pseudonym.  I
> don't want to be forced to change my identity, or to an extent
> my basis "self-hood," every time I change my ISP.

"Identity" is a very fundamental term. I would use it rather
carefully here. Identity can never ever be fully mapped to any sort
of name or address. Nor can it be represented by a public-key
certificate for this very reason.

> 2.  E-mail address and other cyberspace identifiers fail to provide the
> essence of PKI from a nonrepudiation standpoint, i.e., what I call the
> "where do you send the sheriff" question.

I have no problems adding a mapping from a what you call "cyberspace
identifier" to a civil information record if this identifier is
unique.

And note that we have problems when dealing with "civil names"
anyway. Most times you can't derive from civil names (e.g. X.521
attributes) where to "send the sheriff".

Furthermore the CA already vouches for the mapping of the
certificate holder's "identity" (reduced to checking parts of the
identity specified in their CPS) to the subject DN. Whatever the
subject DN contains. If your business relys on a PKI you have to
trust a CA which enables you to "send the sheriff" to the
certificate holder. That's it.

Ciao, Michael.