[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Basic Cert-2-Directory mapping question

To: John_Wray@xxxxxxxx
Subject: RE: Basic Cert-2-Directory mapping question
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 17 Jan 2001 10:47:26 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

John,

 >As I read your suggestion, you want to add an element to the DN
 >that directs the user to the appropriate directory. The new
 >element is syntactically an RDN, but semantically is something
 >different.  The resulting new-style DN appears to me to
 >semantically comparable to an LDAP URL.


I don't think the proposed "dir" attribute is semantically very different
from any other naming attributes.  What we're trying to do with names in
certificates is to maintain the X.500 illusion that a DN uniquely
identifies an entry in some global directory.  But we don't have a single
global directory; instead we have a collection of directories which don't
talk to one another - i.e. instead of the single DN root assumed by X.500,
we actually have multiple roots, one for each directory.

I think this is a debatable point. The X.500 model assumes interconnection of top level (country or international, not multinational organizations) directories via knowledge references. Adding in a dir attribute, to compensate for the lack of these TLDs, does seem to violate the semantics of X.500 naming and of operation. Your text above makes clear how this approach deviates from the original model (with good motivations), but that does change the semantics.

<snip>

Steve

References:
- RE: Basic Cert-2-Directory mapping question
  - From: John_Wray

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: RE: DPD & DPV Basics
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread