The current proposal is to invoice PCAs $5,000 per year
to defray the cost of operating the registry and the
CRL database. The other matter of Distinguished Name
uniqueness (especially for residential certificates)
looks more difficult and I hope that somehow the
X.500 infrastructure will emerge to assure that all
DNs are unique. We can certainly assure that the PCA
distinguished names are unique and probably manage
a small database of CA DNs manually. (or, preferably,
by means of an email-enabled application).
I'll preface this message by saying that I've not been in the thick of
the PEM development effort, but with that I aside...
I should certainly hope that PEM DNs match those used in the existing
X.500 hierarchy. The NADF (in NADF 175 -- see RFC 1417) has done a lot
of good work to ensure that organizations have a reasonable way of
registering themselves in logical positions in the DIT, while having
the capability to list themselves at other locations. Were the PEM DNs
to be different than those suggested by the NADF (and used to some
extent in the current X.500 pilot), there would yet another layer of
mapping and confusion to work through. My X.500 entry (US, NASA, ARC,
Peter Yee) already contains an X.509 certificate (produced by OSISEC,
UCL's X.509 implementation). I really don't want to see PEM, when it
is not backed by X.500, using DNs that are not likely to have a basis
in X.500 reality. Assuming that there will be a trend to store
certificates in X.500 directories (and this is already happening at
a variety of sites), I would not really wish to see the need to re-cast
or map PEM DNs to match existing directory structure.
For a small investment in effort by PCAs now, the transition to X.500
directory storage of certificates could be quite easy.
Comments? Flames? :-)
-Peter Yee
yee(_at_)atlas(_dot_)arc(_dot_)nasa(_dot_)gov