Peter Gutmann wrote: > > =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@xxxxxxxxxxxx> writes: > > >Peter, I disagree with your opinion about acceptance of DC-style DNs. Usage > >of DNs according to RFC 2247 is getting very common in today's LDAP > >deployment. > > I've never seen one, and I have a fairly wide-ranging cert collection from all > sorts of sources... there may be one in there somewhere that I've forgotten > about and I don't want to search the whole lot to find it, but from what I've > seen, usage is practically nonexistant. You're probably correct in that usage > is necessary for LDAP deployment, but that doesn't mean that they're in common > use anywhere. Peter Here is one attached to this message. > > >The main problem with PKI deployment is that most PKI-enabled software does > >not support this kind of DNs. > > I think the real problem is that DCs are a weird artifact of X.500 ideology > rather than any real-world issue [0]. People don't even know what to do with > a "locality" or "organisationalUnit", let alone a DC. Even if the software > supported it, no-one would know what to do with them apart from treating them > as yet another odd blob ID. > Its not really much more weird than DNS names is it? The only difference is that DNS name components are typeless, whereas X.500 ones are typed. > Peter. > > [0] I've tried explaning DCs to one or two people in the past when doing one > of the PKI tutorials on my home page, and the reaction was generally head- > shaking and comments involving the terms "OSI", "reality", and "out of > touch with". One guy (who had worked in an OSI environment in the past) > asked whether 2247 was an April 1 RFC. This is completely the opposite of my experience from giving public PKI and LDAP courses in London. People immediately see the benefit of leveraging the DNS name registration scheme to give them globally unique X500/LDAP DNs Even Microsoft see the sense in this :-) David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security IS Institute, University of Salford, Salford M5 4WT Tel: +44 161 295 5351 Fax +44 01484 532930 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxxxxx Home Page: http://www.salford.ac.uk/its024/chadwick.htm Research Projects: http://sec.isi.salford.ac.uk Understanding X.500: http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
Attachment:
D.W.Chadwick.p7c
Description: S/MIME encrypted message
begin:vcard n:Chadwick;David tel;cell:+44 77 96 44 7184 tel;fax:+44 1484 532930 tel;home:+44 1484 352238 tel;work:+44 161 295 5351 x-mozilla-html:FALSE url:http://www.salford.ac.uk/its024/chadwick.htm org:University of Salford;IS Institute version:2.1 email;internet:d.w.chadwick@xxxxxxxxxxxxx title:Professor of Information Security adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500: http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5 x-mozilla-cpt:;-4856 fn:David Chadwick end:vcard