Re: Qualified Certificates draft - Country name

[Stephen Kent <kent@xxxxxxx>]

David,

>> The number of .com domains is now well over 3 million. It's hardly
>> a meaningful top-level domain anymore.
>
>Au contraire.  What is meaningful about it is that those 3 million
>domains are registered in a single place, and as a result a given
>name can be resolved unambiguously.

The Jan 99 survey suggests that the number is even bigger, about 12
million.  However, that is just the .COM entries, not all the hosts
registerted under each of the .COM domains, nor the folks in all the other
country domains, etc. .COM represents about 30% of the (accessible) DNS
entries, and that percentage may shrink as more TLDs are created, as more
hosts are registered in other countries, etc.

>The longer I look at naming heirarchies, the more my goodness metric
>becomes "the flatter, the better".  It would be fine with me if
>certificates were indexed by hash value (as stored in AKI), and
>one could find every certificate on the Internet by looking it up
>in The Directory by that value.

But we know this does not scale well.

>Bob, that's my suggestion for your magic bullet.  Efficiency may demand
>CIDR-style partitioning of the AKI space (or something along the lines
>of Tony's a.b.c.d prefix, applied to AKI instead of DN), but that could
>work by migrating certificates to the appropriate directory server(s)
>by prefix WITHOUT any pre-arranged AKI partitioning of CAs.
>EE certs could be referred to by "cert hash" instead of (or in addition
>to) Issuer/Serial, and retrieved from the Directory the same way.

I think one really wants partitioning along organizational lines, not the
arbitrary lines that the CIDR-like approach would imply.  Organizational
respobsibility for maintenance of directories has worked well for the DNS,
and if one were to create a PKI tied to the DNS, e.g., based on DNs that
employ only DC attributes, then I think we would want to make use of the
record types already defined for storage of X.509 certs.

Steve