>From: TCJones(_at_)MIL(_dot_)NCSC(_dot_)DOCKMASTER
>Subject: DN's and attributes
>Date: Thu, 22 Jul 93 14:13 EDT
Tom
Ive will send you a note on th background. Its about naming, and therefore
to be contained as much as possible, so that war does not break out
again. Im afraid you got caught in the undeclared cross-fire when you chose
some unforunate semantic examples in the discussion about syntax..
It does really matter that the practice of non-military security
implementation is based, given post cold war economies, on market pragmatism,
rather than dogma or unnecesary assurance levels, even though the dogma
may have to be espoused in public to protect the good reputation of those
who can claim high assurance properties based on real enforcement of
the policy rules. The costs of high assurance are just no longer
bearable, whereas wide-spread low and medium-assurance technology can
have major economic impact. Providing it happens.....
>>Tom's reading of pure CCITT standards is that of a newcomer --- one who
>has to learn that, yes, its subsequent provider agreements which really
>matter, within the common framework stated by X.???
>
>Boy .. now you seem to be telling us that our "Distinguished Names" are
>not even ours but the property of some provider. I, for one, certainly
>hope that you don't know whereof you speak.
>
Try choosing your _own_ name, and getting it and its key certified....
Others have tried, and been rejected for (dogma-valid) reasons I
reiterate privately.
>- - -
>
>RFC1422> The attributes employed in constructing DNs will be specified
>in a list maintained by the IANA, to provide a coordinated basis for
>attribute identification for all applications employing DNs.
>
>Also, it sometimes takes a newcomer to tell the emperor that he has no
>clothes. (Or was it that the standard had no ATTRIBUTE-SET?)
>
Im sorry; the wording was crass. A colleague asked about this once
also, and received some private hate mail back. Im not sure what happened
in IANA.
My suggestion was precisely that its the real providers
who define the set's values, to make reality possible, within the
common framework set by these std requirements like X.500 name forms.
There are no clothes because its our job as technology implementors to
make them, fit for the market.
Our team is currently trying to distribute some rather dubious PEM
software currently - to just try and get some momentum going...
>- - -
>
>To any of the rest of you who are trying to build databases with DN's or
>certs in them, I would appreciate implementation comments on what you
>have found. Off-line if you don't like the atmosphere here.
>
This is an implementors forum; so stay. I used to stuggle also to
fit in, here; evidently still learning! Effective Deployment requires as much
work and talent as original design specification. So there are several years
of work ahead still.
>Peace ..Tom Jones