[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Qualified Certificates draft - Country name

To: <ietf-pkix@xxxxxxx>, <dpkemp@xxxxxxxxxxxxxx>, <galactus@xxxxxxxx>
Subject: Re: Qualified Certificates draft - Country name
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 04 Mar 1999 12:04:02 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

David,

Flat is not necessarily bad, although the performance of 
typical directory implementations may be a concern.

But hashing the certificate or public key a la SPKI is 
in my opinion NOT the way to go, for reasons that were 
argued extensively on that list (even if Carl Ellison 
remains unconvinced).

I wouldn't mind such a technique as an alias, if aliases 
weren't such a headache, but I don't think it would be 
acceptable as the primary DN, because people want to be
able to look up lots of other things about someone than
their certificate, and they want to be able to do so for a 
very long period of time.

The only problem I have with using an employee number
as the primary index is the tendency to use a master dossier
index such as the SSN for that purpose -- a privacy concern.

Even if we used a SHA-1 hash of a canonical form of the 
employee's birth certificate (which would be a perfectly 
lousy "name"), it might still become a dossier locator.

Employee ID is probably about the best that can be done, but it 
should not be global in scope, but rather unique only within the
naming organization.

Maybe we partition the employee ID space for efficiency,
perhaps by including the first letter of the (original) name,
or something similar. 

Bob (J.1234567)

>>> "David P. Kemp" <dpkemp@missi.ncsc.mil> 03/04/99 08:42AM >>>
> From: galactus@stack.nl (Arnoud "Galactus" Engelfriet)
> 
> The number of .com domains is now well over 3 million. It's hardly
> a meaningful top-level domain anymore.

Au contraire.  What is meaningful about it is that those 3 million
domains are registered in a single place, and as a result a given
name can be resolved unambiguously.

The longer I look at naming heirarchies, the more my goodness metric
becomes "the flatter, the better".  It would be fine with me if
certificates were indexed by hash value (as stored in AKI), and
one could find every certificate on the Internet by looking it up
in The Directory by that value.

Bob, that's my suggestion for your magic bullet.  Efficiency may demand
CIDR-style partitioning of the AKI space (or something along the lines
of Tony's a.b.c.d prefix, applied to AKI instead of DN), but that could
work by migrating certificates to the appropriate directory server(s)
by prefix WITHOUT any pre-arranged AKI partitioning of CAs.
EE certs could be referred to by "cert hash" instead of (or in addition
to) Issuer/Serial, and retrieved from the Directory the same way.

Prev by Date: Re: A web of directories - Finding PKIX Servers
Next by Date: RE: OCSP Service Locator and RFC2459's Authority Information Access
Previous by thread: RE: Qualified Certificates draft - Country name
Next by thread: Re: Qualified Certificates draft - Country name
Index(es):
- Date
- Thread