Re: A web of directories

["Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>]

As Tom pointed out and I realized independently, there are some 
technical difficulties with the execution I proposed, not the least 
of which is the fact that a SET of optional components would be 
a nightmare to implement as the root of the DIT!

If all else fails, we could include the necessary information elsewhere 
in the certificate, although I really liked the idea of including it in the DN
in order to take advantage of existing mechanisms.

We could conceivably include a single primary directory name as a top level
component of a DN, since within that directory's view of the DIT everything 
would be consistent. And if and when we evolve to a world-wide directory
that (sub)directory name might be able to serve as a schema qualification.

But I don't want to wreck the existing DIT class definitions, at
least not out of ignorance, so I will have to propose something else.

I confess that I don't recall the AAI extension, at least by that acronym.  
Can you give me a reference to it?  If it will work, I'm happy.

Bob


>>> Stephen Kent <kent@bbn.com> 02/23/99 10:04AM >>>
Bob,

Aw, come on now, Bob.  DN's are NOT intended to include pointers to
directory servers.  They are names within the DIT.  Don't try to shoehorn
other info into a DN just because the GeneralName form allows other forms
of IDs.  I agree with the suggestion that one could use the AAI extension
with an appropriate sub-type.  (Actually, a previous version of PKIX Part
1, which allowed for end-entity info rather than CA info makes more sense
here, but we seemd to have lost that distinction along the way.)

Steve