Re: [IETF-PKIX] OCSP: Method of Identifying Certificates

[Paul Koning <pkoning@xxxxxxxxx>]

>>>>> "David" == David P Kemp <dpkemp@missi.ncsc.mil> writes:

 >> From: Stephen Kent <kent@bbn.com>
 >> 
 >> When we encode anything as a DN it becomes part of the DN space,
 >> for which ITU claims responsibility, but for which we lack an
 >> authoritative registrar.

 David> ...
 David> Note that Part 1 defines DistinguishedName ::= RDNSequence,
 David> but DistinguishedName is *never* used.  The subject and issuer
 David> fields of Certificate are Name, not DistinguishedName.  The
 David> syntax is the same, but the argument can be made that the IETF
 David> has the right to define its own attributes which may appear in
 David> RDNSequence, and to serve as the registrar for it's own
 David> namespaces.

If that's valid, it certainly is not intuitive.  Applying the duck
test ("if it walks like a duck...") on the subject name would
certainly lead many people to believe that those things are
distinguished names controlled by ITU.

If that assumption is true only for some subject names and not others
(i.e., we're applying the ITUish syntax withouth also applying its
semantics) then this deserves to be pointed out very clearly.  In
particular, it becomes critical to spell out which portion of the name 
space is controlled by which registrar (real or hypothetical).

DNS names have the nice property that "everyone knows" where they come 
from.  When I see "X=foo, Y=bar" I immediately think "ITU X.mumble"
with all that seems to imply.

	paul