RE: Certificates, Directories, and Distinguished Names

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

Thanks for that.

> -----Original Message-----
> From:	Stephen Kent 
> Sent:	Wednesday, April 07, 1999 12:42 AM
> To:	Alan Lloyd
> Cc:	''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' '
> Subject:	RE: Certificates, Directories, and Distinguished Names
> 
> Alan,
> 
> >	This can be agreed with or:
> >
> >	Say I get a cert/key from Honest John cert co - and its
> >recognised by a few dozen traveller kiosks around the country and
> toll
> >plazas on freeways.
> >	 When I use it from the car, the email address of the
> >transaction is toll booth 23@ Tullamaine -free way. roads and when I
> go
> >bush... another one day  the email address is
> >lost.traveller@kiosk10.inthebush.outback
> 
> Gee, you Aussies really like to send mail from out of the way places
> :-).
	yes, they are  so far "out of the way" that we have cars and
internet services there :-)

> We agree that the message recipients care more about who you are than
> the
> origin of a specific message.  However, in the e-mail world, the IDs
> people
> are comfortable with, are e-mail addresses.  
	Thats a view that should evolve - I dont like remembering email
addresses - simply because they seem to be changing  often.
	Quote from an OpenDirectory slide - circa 10 years ago -
Directories are use to hold information that one cannot remember  or
changes often and this is related to a name - that can be remebered and
does not change (or rarely changes).

> S/MIME decided to prefer that
> form of ID for their application environment, and so it is appropriate
> for
> PKIX to support it. It is also an ID form supported in IPsec for
> individuals.  This is just another case of folks in the Internet
> choosing
> to make use of an existing naming infrastructure,
> 
	Oh I see - I wondered what this Internet stuff was about -
perhaps I should use it too - and then my views might get accepted. :-) 

	(or perhaps I dont think that using email addresses instead of
directory systems is the way to go - ie. I dont believe in applying
newer technologies - business level directory systems - in the old way -
like email systems - simply because there is a difference and a damn
good reason for not doing so) 

	ie. Engineering concepts -  EG.  If I have a hammer (mail system
concepts)  and then get an electric drill (a directory system ) do I
still bash the back of the drill to do the engineering -no I use a
different approach to doing the job.?
>  i.e., the DNS, than to
> build and rely upon a new one, e.g., X.500.  This is an IETF WG, so
> this
> ought not be surprising!
	As said we are providing X.500 back ends to ISPs for Radius,
DHCP/DNS services - and ISPs provide (wait for it) Internet Services !

	Also, another view is that the networking properties of the
Internet is used to support a distributed name based information system
that businesses operate with using natural business entity names like
Conference Room 3, etc
	. ie. the Internet just becomes the pipes for many directory
services supporting the business information model of specific vertical
markets.

	This strikes me as valid input to the IETF process.

> >	It strikes me that nailing, cryptographically, information in a
> >certificate that may or may not get used could be a hinderance not a
> >benefit..
> 
> I'm in favor of not putting too many attributes into a cert; remember
> Steve's Rule of Revocation.  (I never knew this to foget it - Gee Is
> this published ?)
> 
> But we're really talking about an alternate
> Subject name here, not an added piece of info.
> 
	Is an Alternate Subject Name  (that seems to have no purpose)
not an added piece of info?  author - a confused aussie :-)

> 	<corporate merger activity advertisement deleted>
	Its strange you deleted this when in fact it highlights the very
problem using mail addresses in certs.
	Its also odd that the very problems I describe in the real world
which face operational systems dealing with churn and change - that can
get resolved with directory systems - not mail systems with certificates
- seem to get passed over...
	However, this has a good side - It just means that directory
system suppliers get ahead of the suppliers with "email" /DB approaches
to PKIs.

> >	It also strikes me that the last place I want my mail address is
> >in my certificate - as this will create and compound any archive and
> >rekey issues.
> 
> Huh? If the e-mail address is the chosen name form, then learn to deal
> with it!
> 
> <typical Alan text about X.500 as a panacea deleted>
	Directories are not a panacea - they are an sound and validated
enginerring approach to distributed information systems that run
businesses over the Internet and other networks. They have solved
problems ten years ago - that are being discussed today.


> Steve