Re: Qualified Certificates draft - Country name

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: galactus@stack.nl (Arnoud "Galactus" Engelfriet)
> 
> The number of .com domains is now well over 3 million. It's hardly
> a meaningful top-level domain anymore.

Au contraire.  What is meaningful about it is that those 3 million
domains are registered in a single place, and as a result a given
name can be resolved unambiguously.

The longer I look at naming heirarchies, the more my goodness metric
becomes "the flatter, the better".  It would be fine with me if
certificates were indexed by hash value (as stored in AKI), and
one could find every certificate on the Internet by looking it up
in The Directory by that value.

Bob, that's my suggestion for your magic bullet.  Efficiency may demand
CIDR-style partitioning of the AKI space (or something along the lines
of Tony's a.b.c.d prefix, applied to AKI instead of DN), but that could
work by migrating certificates to the appropriate directory server(s)
by prefix WITHOUT any pre-arranged AKI partitioning of CAs.
EE certs could be referred to by "cert hash" instead of (or in addition
to) Issuer/Serial, and retrieved from the Directory the same way.