[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Qualified Certificates draft - Country name

To: tgindin@xxxxxxxxxx, Stefan Santesson <stefan@xxxxxxxxxxx>
Subject: RE: Qualified Certificates draft - Country name
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Mon, 01 Mar 1999 15:55:38 -0800
Cc: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>, samiklo@xxxxxxxxxxxxxx, ietf-pkix <ietf-pkix@xxxxxxx>, Stephen Kent <kent@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

At 05:30 PM 3/1/99 -0500, tgindin@us.ibm.com wrote:
>     I think that country name should be made mandatory.  If country name
>is made optional, how is the number of first-level entries in the global
>directory tree going to be held down to navigable levels?  I would have no
>objection to defining the mandatory attribute superior to organization as a
>choice between country name and international assignment authority, but to
>allow any organization that wishes to assign itself as a first-level entry
>in the tree to do so will produce a situation in which there is no entity
>with a complete list of first-level entries.  That would probably make it
>permanently impossible for client systems to navigate the tree.
>     One problem with country name, however, is that it implicitly assumes
>a "Westphalia model" of countries and makes no provision for such things as
>the EU.  Does anyone know of an alternative attribute that organizations
>could be made subordinate to?

Signs of the Zodiac?  Elements of the Periodic Table? ...

Pardon for being flip, and perhaps a bit mystified by the urge to subordinate
all things to "countries".  I think of the Balkans, or other areas of the world
where maps and countries seems to transform themselves on a regular basis.

Client systems required to navigate a global directory must be pre-armed with
information sufficient to locate a unique "leaf" in the tree.  Since the only
real "naming" authority becomes the CA (in negotiation with the certified party)
it would seem they can be free to select any top-level name from some set of
pre-established "top-level" names (pre-established for reasons of efficiency
only).  Hence if "Atomic Elements" were the established top-level names, a CA
could select one at random and assign it as the first identifying "element"
in my certificate (if the goal were simply to make directories "navigable".)

Why, exactly, is there a need to have THESE names correspond to anything in
the "real world"?  As long as an entity can be uniquely defined, it would be
the corresponding CA who should hold whatever information about the entity
that might reveal the qualified "real-world" attributes.

Indeed, why should I, and my next-door neighbor, reside "near each other" in
some global directory?  The very thought is chilling, to say the least.

If I have this all wrong, please straighten me out.

Thanks.

___tony___

Tony Bartoletti                                             LL
Center for Information Operations and Assurance          LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 303                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8002               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL

References:
- RE: Qualified Certificates draft - Country name
  - From: tgindin

Prev by Date: RE: Qualified Certificates draft - Country name
Next by Date: RE: Qualified Certificates draft - Country name
Previous by thread: RE: Qualified Certificates draft - Country name
Next by thread: RE: Qualified Certificates draft - Country name
Index(es):
- Date
- Thread