Given aliasing in DN space there should be no issue. Aliasing is
essential IMHO to overcome the deficiencies of any single hierarchy
since one occasionally needs to be interrogated by someone who knows
the name but not the place. Hence residential, organizational, and
other taxonomies may via aliasing identify the role regardless of the
individual, with key placed there, or identify the person residentially
with a single key at the residence, as called for by the situation. The
ability of an employee to use residential key at place of business doesn't
make it hard to fire the person... just remove from the organization's
DN space... unless directory caching has long lifespans, which issue may
not have been addressed and whose technical solution is not obvious.
It is already commonly understood in business that the way a person signs
his name determines whether the company or the person is doing the talking.
I would hope that any meaningful signed business document from IBM
had an IBM DN, not a residential one, even if the key used by the person
in the job was just aliased to his personal/residential one. These are
not complicated concepts. However let me see if I understand them
properly:
1. I can get a certificate associated with a residential DN,
although uniqueness may be a problem for a while so I may
need to change keys or residential DN's at some time in
the mid range future when things quiet down.
2. I can be assigned DN's elsewhere in the hierarchy which
reference my residential DN and personal key for identity
info, if everyone involved so desires, or which contains
a different key if desired. Attributes such as emailboxes,
UPS shipper numbers, and so on may also be aliased or
direct at each node as well.
3. If IMX is successfully asserted, the DNS essentially
becomes one of the available taxonomies for those that
find it useful as such.
The only thing I have seen in this group recently that worries me is
the idea that a CA feels responsible for guaranteeing an unique DN when
the certificate is issued, hence the DN must be subordinate to its.
Unless it is possible for one node in DN space to refer to another for
access to its key, it will be necessary to certify far more keys than
are needed globally at much cost for no benefit. Assuming however that
this capability exists, what matters it that the DN where the certificate
is stored is subordinate to the DN of the CA? That just means that the
residential and other DN's for me, the key buyer, must ALL reference the
entry subbed to the CA for key access. And it also means that this
interim kludge can be removed later when global assurance of unique DN's
can be made. Out of all these messages I am hard pressed to find any
real issue requiring decision making. - Greg Bailey