pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unique DNs

1993-02-26 15:12:00
from [Carl Ellison] [Permanent Link] 
Message-Id: <9302261844(_dot_)AA00982(_at_)transfer(_dot_)stratus(_dot_)com>
Subject: Re: Unique DNs 
Date: Fri, 26 Feb 93 13:44:48 -0500


Steve,

        I appreciate your desires with PEM and your absolute need for
unique names.  I understand that you chose the path of X.500 DNs to provide
those unique names.  I can understand X.500's desire to have unique names
entirely apart from PEM and I would assume that it looked like a natural
fit to just borrow their names.

        All I've been trying to point out is that if people want uniqueness
of names, it already exists in keys.  I bother to point this out only
because it seems that X.500 name uniqueness is not a well-established fact.
In fact, no one in Stratus is listed in an X.500 database, as far as I
know, and I wonder when (and if) it will ever come to be.  That's a side
issue.  The issue to me is only to point out that uniqueness is there
already for PEM, given that every PEM user has a public key.

You wrote:


      None of this disputes your observation that there are other
ways to provide identifier-key bindings.  However, schemes which do
not ensure global uniqueness of identifiers, do not seem likely to
scale well, or may make it easy for users to be confused by duplicate
names are unsuitable.


My public key is a unique name.  At 1024 bits, it doesn't need to scale any
more.  There's no chance of duplicate names to confuse users.

Of course, for a human to make any sense of my n=pk (name = public key),
he'd want something readable -- like my spoken name, my company, my e-mail
address, my list of interests, ....  These real-world attributes need to be
bound to my n=pk and that binding calls for a database of signed messages
declaring/certifying/claiming that those attributes are true.

It's entirely possible that if you start with my n=pk as the unique element
in this set of correlated records about me rather than demand that my DN be
unique (or that I even have one assigned), you might end up with the same
certification hierarchy which PEM has today.  It might be a little
different here and there.  All I tried to say when I jumped into the
discussion was that if n=pk were the unique name, then pem-dev would be
free of the flame war which I see raging around X.500.

I'm sorry if I've distracted any of pem-dev from useful work.

 - Carl
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Question on DNs, Steve Kent
Next by Date:  Re: PGP legality, Brad Huntting
Previous by Thread:  Re: Unique DNs, Robert W. Shirey
Next by Thread:  Let's drop this thread (was Re: Unique DNs), Carl Ellison
Indexes:  [Date] [Thread] [Top] [All Lists]