[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)

To: Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx>
Subject: Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Fri, 29 Nov 2002 04:55:06 +0100
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126

Peter Gutmann wrote:

=?ISO-8859-1?Q?Michael_Str=F6der?= <michael@xxxxxxxxxxxx> writes:

Peter, I disagree with your opinion about acceptance of DC-style DNs. Usage
of DNs according to RFC 2247 is getting very common in today's LDAP
deployment.


I've never seen one, and I have a fairly wide-ranging cert collection from all
sorts of sources... there may be one in there somewhere that I've forgotten
about and I don't want to search the whole lot to find it, but from what I've
seen, usage is practically nonexistant.

>  You're probably correct in that usage
> is necessary for LDAP deployment, but that doesn't mean that they're in
> common use anywhere.

Not true. I know at least two PKIs where DC-style DNs are used. Both with a 1:1 mapping subject DNs to LDAP DNs.

The main problem with PKI deployment is that most PKI-enabled software does
not support this kind of DNs.


I think the real problem is that DCs are a weird artifact of X.500 ideology
rather than any real-world issue [0].  People don't even know what to do with
a "locality" or "organisationalUnit", let alone a DC.  Even if the software
supported it, no-one would know what to do with them apart from treating them
as yet another odd blob ID.

I won't jump into the debate about whether hierarchical names making sense or not. That's rather a philosophical question.

The issue raised here was that DNs have to be unique. Therefore the point is that DNS has a world-wide operational system of naming registries. In opposite there's no working world-wide system of naming authorities for X.521 names (except some small islands in the academic community).

[0] I've tried explaning DCs to one or two people in the past when doing one
    of the PKI tutorials on my home page, and the reaction was generally head-
    shaking and comments involving the terms "OSI", "reality", and "out of
    touch with".  One guy (who had worked in an OSI environment in the past)
    asked whether 2247 was an April 1 RFC.

Well, usually in my LDAP workshops people pick up the point quite fast. And I would not claim to be a better teacher than you. Usually people are more aware of DNS domains.

Ciao, Michael.

References:
- Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)
  - From: Peter Gutmann

Prev by Date: RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
Next by Date: Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
Previous by thread: Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)
Next by thread: Re: Acceptance of DC-style DNs (was: OCSP I-Ds going forward)
Index(es):
- Date
- Thread