[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Qualified Certificates draft - Country name
My responses are indicated with my name in brackets.
Tony Bartoletti <azb@llnl.gov> on 03/01/99 06:55:38 PM
To: Tom Gindin/Watson/IBM, Stefan Santesson <stefan@accurata.se>
cc: "Bob Jueneman" <BJUENEMAN@novell.com>, samiklo@missi.ncsc.mil,
ietf-pkix <ietf-pkix@imc.org>, Stephen Kent <kent@bbn.com>
Subject: RE: Qualified Certificates draft - Country name
At 05:30 PM 3/1/99 -0500, tgindin@us.ibm.com wrote:
> I think that country name should be made mandatory. If country name
>is made optional, how is the number of first-level entries in the global
>directory tree going to be held down to navigable levels? I would have no
>objection to defining the mandatory attribute superior to organization as
a
>choice between country name and international assignment authority, but to
>allow any organization that wishes to assign itself as a first-level entry
>in the tree to do so will produce a situation in which there is no entity
>with a complete list of first-level entries. That would probably make it
>permanently impossible for client systems to navigate the tree.
> One problem with country name, however, is that it implicitly assumes
>a "Westphalia model" of countries and makes no provision for such things
as
>the EU. Does anyone know of an alternative attribute that organizations
>could be made subordinate to?
Signs of the Zodiac? Elements of the Periodic Table? ...
Pardon for being flip, and perhaps a bit mystified by the urge to
subordinate
all things to "countries". I think of the Balkans, or other areas of the
world
where maps and countries seems to transform themselves on a regular basis.
[Tom Gindin] No argument here - I was thinking more about the multiple
levels of government than about their stability, though.
Client systems required to navigate a global directory must be pre-armed
with
information sufficient to locate a unique "leaf" in the tree. Since the
only
real "naming" authority becomes the CA (in negotiation with the certified
party)
it would seem they can be free to select any top-level name from some set
of
pre-established "top-level" names (pre-established for reasons of
efficiency
only). Hence if "Atomic Elements" were the established top-level names, a
CA
could select one at random and assign it as the first identifying "element"
in my certificate (if the goal were simply to make directories
"navigable".)
Why, exactly, is there a need to have THESE names correspond to anything in
the "real world"? As long as an entity can be uniquely defined, it would
be
the corresponding CA who should hold whatever information about the entity
that might reveal the qualified "real-world" attributes.
[Tom Gindin] The problem I see is that a client performing a verification
needs to find the issuing CA (not just its own CA) itself. The main reason
to have these names correspond to something sizable in the real world is to
keep the number of top-level names manageable, and to have a defensible
basis for allowing certain entities to be at the top level and others not.
Since the set of major industries is roughly as stable as that of
countries, if assignment authorities for them could be as clearly
determined, they would be reasonable candidates for top-level entries - if
somebody could impose a lower bound on what is a "major industry".
Indeed, why should I, and my next-door neighbor, reside "near each other"
in
some global directory? The very thought is chilling, to say the least.
If I have this all wrong, please straighten me out.
Thanks.
___tony___
Tony Bartoletti LL
Center for Information Operations and Assurance LL LL
Lawrence Livermore National Laboratory LL LL LL
PO Box 808, L - 303 LL LL LL
Livermore, CA 94551-9900 LL LL LLLLLLLL
phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL
email: azb@llnl.gov LLLLLLLL