I researched RFC1422 yet again on Distinguished Names and rediscovered a
muddle of ideas with no obvious guidance. This may be intentional, but
it leads to a variety of different interpretations.
...
This is simply an artifact of using X.500. X.500 defines a very general set of
concepts and facilities. But it says practically nothing about what any of it
means or how it is to be used. In fact, this is in general true of many other
ISO/CCITT standards as well: the specifics of actual meaning and use were
supposed to be hammered out in specific national implementation agreements.
However, the need for interoperability across implementation agreements has
robbed these agrements of much of their ability to get down to specifics.
(There are other contributing factors that I don't want to get into here.) This
has led to the need to clarify these issues at the service provider level or
slightly above. And this in turn is why you see the IETF and EMA and EEMA and
JEMA and NADF and so on trying to work out these things. (All of these groups
are either involved now or plan to be involved in directory usage specification
work.)
The issue here isn't whether or not you like this way of doing things. This is
the way it is, and by buying into X.500 this is what you get. The question then
is whether or not the PEM documents should be dealing with these issues (as you
point out, they don't even come close right now).
My opinion is that this is not automatically something the PEM working group
and the documents it produces should be dealing with. The IETF has several
working groups that deal with X.500 issues specifically. The PEM working group
needs to monitor and liase with these efforts and make sure PEM's X.500 needs
are being addressed. PEM-specific issues (such as the changes to CRLs that are
needed to eliminate encoding ambiguities) are of course the responsibility of
this group. But the general structure of DNs is something that must be hammered
out elsewhere.
That pretty much seems to be it. There are several other groups in
North America and elsewhere that seemed to be determined to limit the
assignments of DN's, but these are vague and probably not enforceable by
anything short of a national monopoly.
It is a big mess, all right. However, it is far from clear that what's needed
is another contender in the arena.
I cant say from my own personal experience that IANA has taken up the
task given to them by implication in RFC1422 or even that IANA exits.
Assuming this implication to be valid, I totally disagree with it -- this is
NOT a job for IANA. More accurately, while it may be IANA's job to maintain a
database of information about various schemas used for various purposes, it is
absolutely NOT IANA's responsibility to generate these things to begin with.
This is an involved political process and not something that can be
handled by fiat.
Since GTE will be establishing their own CA, it is up to GTE to find
distinguished Names for its employees subject to the PCA only. And if
you don't like what one PCA tells you, go find another. And since
you're a telephone co., just become an administrative domain, build your
own directory and put your employees in it, surely no one could stop you
from doing that.
Ain't competition won'erful!
As long as it doesn't get in the way of interoperability. Now that many of the
service providers (GTE among them, I think) are, under the auspices of NADF,
trying to come up with a way to interconnect directories, there is at last some
hope for the cause of X.500 interoperability in the United States.
Ned