Stephen Kent wrote:
<snip>
If I am a member of multiple communities, and if I have a cert issued by each
community for use in its context, I don't need to communicate AMONG the
communities, just within them.
Why restrict how you/I/we can communicate? The technical system should not pass
its limitations as features.
<snip>I quote from your paper, with the relevant text in bold: 3.1.2.
Distinguished NamesThe first question of Section 3.1. was "who is S?", which
has to be answered with a name-like attribute. Of course, if we use natural
names we will not go very far before a similar name is found in the world
population. Thus, to allow for programs (i.e., verifiers, subjects, etc.) to
deal with entities in the Internet, it is necessary to have a "naming
convention" that may allow a unique and singular name to be used for each
entity -- which is usually called a "Distinguished Name" or DN. With DNs, it
would be possible to uniquely associate entities to contract numbers,
accounts, etc., without requiring the account numbers, etc. to be also
unique. The problem is that there is no naturally found DN for each member of
the human race, computer, machine, etc. Of course, if such a DN existed, then
the reference problem in the Internet would also not exist. But since the
Internet is void of a standard reference as we saw in Section 1, this means
that the DN question has also no extrinsic solution. DNS names are "natural"
in the Internet and provide unique IDs for machines, at the granularity
needed for the sorts of applications we are discussing.
The paper at http://www.mcg.org.br/cie.htm is name-agnostic. That text is not
in the beginning and
is NOT a problem handled by the paper. The paper just makes the (correct)
affirmation that X.500
DNs do not work as expected. The reader can use any naming convention the
reader wants --
including DNS names or DNs.
<snip>Why do you say that? Any DNS name specifies a path from the root to an
node the the DNS tree, just as an X.500 DN does. What is not hierarchic
about a DNS name?
As Stef has already discussed elswhere, the DNS naming scheme is an ontology.
That is, it is hierarchical
only in that the totality of names in the tree is a hierarchy, but there need
be no meaningful relationship
between the names at any level of the DNS name tree.
DNS names bear no specific relationship to anything, hierarchical or not. Some
people want them to
represent geography, others want them to confirm to rigid product and service
categories, others want them
to be used a Directory. There are many hierarchical and non-hierarchical
relationships you can define
within the *same* DNS name space. The environment is potentially much more
complex and varied than
a relatively simple one dimensional hierarchy, inckuding: (1) territories
(e.g., cnri.reston.va.us), (2) type of
sponsoring institution (e.g., fcc.gov), or (3) a hybrid of the two (e.g.,
dillons.co.uk). Because the Internet is
basically an open, distributed information system, the identifiers aren't
really tied to any physical notion of
geographical exercise of sovereignty either.
Also, contrary to DNs assigned by a RA as defined in X.509, most DNS names are
self assigned and then
are registered in some system that is used to advertise arbtrarily assigned
bindings to other entities.
Cheers,
Ed Gerck