Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

=?ISO-8859-1?Q?Michael_Str=F6der?= <michael@xxxxxxxxxxxx> writes:

>Peter, I disagree with your opinion about acceptance of DC-style DNs. Usage
>of DNs according to RFC 2247 is getting very common in today's LDAP
>deployment.

I've never seen one, and I have a fairly wide-ranging cert collection from all
sorts of sources... there may be one in there somewhere that I've forgotten
about and I don't want to search the whole lot to find it, but from what I've
seen, usage is practically nonexistant.  You're probably correct in that usage
is necessary for LDAP deployment, but that doesn't mean that they're in common
use anywhere.

>The main problem with PKI deployment is that most PKI-enabled software does
>not support this kind of DNs.

I think the real problem is that DCs are a weird artifact of X.500 ideology
rather than any real-world issue [0].  People don't even know what to do with
a "locality" or "organisationalUnit", let alone a DC.  Even if the software
supported it, no-one would know what to do with them apart from treating them
as yet another odd blob ID.

Peter.

[0] I've tried explaning DCs to one or two people in the past when doing one
    of the PKI tutorials on my home page, and the reaction was generally head-
    shaking and comments involving the terms "OSI", "reality", and "out of
    touch with".  One guy (who had worked in an OSI environment in the past)
    asked whether 2247 was an April 1 RFC.