-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate: MIIBjjCCATgCAQIwDQYJKoZIhvcNAQECBQAwRjELM
AkGA1UEBhMCVVMxJDAiBgNVBAoTG1RydXN0ZWQgSW5mb3JtYXRpb24gU3lzdGVtc
zERMA8GA1UECxMIR2xlbndvb2QwHhcNOTIwNzE3MTQwNzM0WhcNOTQwNzE3MTQwN
zM0WjBgMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvb
iBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1UEAxMPSmFtZXMgTS4gR
2FsdmluMFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAMQMw5IxCtHdZfe+oAdrm8mq9
6RjvRfbG8I6Y903VX3ZJysXlWEDB2jYlm5aif6Pds2OdGq9DqNo5+swciLIXvECA
QMwDQYJKoZIhvcNAQECBQADQQATTPt6kCH9064K6dlzxZRGxfPUZOGw5R4DpurJx
+hpHf5/3SXztgusxGbhv9XU/GezmLvNQDdjwqWCp8g7VpDD
Issuer-Certificate: MIIBZTCCAQ8CAQIwDQYJKoZIhvcNAQECBQAwNzELMAkGA
1UEBhMCVVMxKDAmBgNVBAoTH1RydXN0ZWQgSW5mb3JtYXRpb24gU3lzdGVtcyBQQ
0EwHhcNOTIwNzE3MTMyMzI4WhcNOTQwNzE3MTMyMzI4WjBGMQswCQYDVQQGEwJVU
zEkMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLE
whHbGVud29vZDBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDE+Wmy9YJM1p+NNPBwa
GAJWx1FvRNSTNaCa+ZgItM5x3Yl5+BFBIf/QfApcyiaOpFteindkKbryeu4WXd1v
C6HAgEDMA0GCSqGSIb3DQEBAgUAA0EAJQZuSuHg+LJy3wCv1YRd1l0eB66UOVDfZ
nbdG/u86flC8J/4Y+QaD7DM579sPbAF0Hv7Wv2yaMzlarafMGaibA==
MIC-Info: RSA-MD5,RSA,duRqW5oVLyZRl2trlPC/iTyoDx1MOYcwIlF0qQvAN1G
jenBJMR+GjqO2qwLYeu0w9E9HpjJrbgoxVpxLjZN+gA==
Gentlefolks,
This philosophical discussion is interesting, but let's talk about
what's working today. The Internet reference implementation is beta
testing today, its available today to any qualifying
individual/organization (sorry, legal restrictions not subjective ones),
and we're dealing with these issues every day.
1. Stef, I take exception to your comment that when you mentioned the
NADF 175 document at the Boston IETF no one had read it or understood
it. As PEM implementors, we (TIS) most certainly had read it and
understood it, including its predecessor. In fact, when determining
an organization's distinguished name to be used for PEM, we recommend
people read it and even distribute it to them (as RFC 1255) if its
convenient for them.
2. Vint and Wolfgang are both correct. RFC 1422 does tightly couple the
naming hierarchy with the certification hierarchy. The principal
reason for this is a pragmatic one: distinguished names must be
unique and unambigous. In the absence of registration services PEM
needed a mechanism to satisfy this requirement.
Now, we can discuss the choice that was made, and make a motion to
use other choices, but let us focus on the technical issue. There
will be opportunities to revise the RFC to allow other choices.
Wolfgang's observation that the requirements of the RFC are too
restrictive for his environment are significant. We need to
determine if he's unique or represents a substantial community.
Obviously, this will determine the importance of changing the choice
made by the current RFC.
3. In beginning our beta testing of TIS/PEM, we had to consider what to
do about approving or disapproving an individual's or organization's
distinguished name. After much discussion we decided it was very
difficult for us to pass judgement on the choice of distinguished
names. At most, there were names we knew were wrong but it did not
make sense for us to decide what was right.
Therefore, what we decided is that we would offer all the advice and
guidance we had to the process of choosing a name, but as long as the
name was not wrong and it was consistent with the suggestions in RFC
1255 and it was consistent with the PEM requirements in RFC 1422, we
would allow it. The caveat we emphasized to all organizations and
individuals is that *THEY* are responsible for their distinguished
name and how it is used. We reserve the right to tell them their
name is wrong at some point in the future and therefore must be
changed.
Although this sounds harsh it really isn't. We expect that this
policy will be an element of all PCA policies. Let face it, we're
all learning about distinguished names. There is a culture that
needs to be established within the community of the "common man". We
should expect change as we gain more experience with this issue.
Toward this end, our PCA issues CA certificates with a 3 month
validity period. This allows for fairly quick changes to
distinguished names, if necessary.
Jim
- ------------------------------------------------------------------------
This message digitally signed with Privacy Enhanced Mail. Get your copy
of the Internet reference implementation from "pem-info(_at_)tis(_dot_)com".
-----END PRIVACY-ENHANCED MESSAGE-----