As long as it doesn't get in the way of interoperability. Now that
many of the service providers (GTE among them, I think) are, under the
auspices of NADF, trying to come up with a way to interconnect
directories, there is at last some hope for the cause of X.500
interoperability in the United States.
I'm not sure I understand what the interoperability issue might be. If
I wish to create a name for myself that I can make a good, documented
case for that name, what does any directory or CA have to say about
that?
They don't have anything to say about it. From a PEM perspective there really
isn't any problem. This is what I was trying to say in my original posting: the
issue of DNs are constructed is outside the scope of PEM.
Or perhaps more to the point, how could that create an
interoperability problem?
Let's say I want to send you an encrypted message. But I don't have your exact
DN; we have never communicated before. How do I go about finding your DN and
corresponding public key? I have to do a directory search, of course. Even
assuming the necessary directory connectivity is available to me, it won't do
me much good if the way you organize people in the directory isn't something my
software knows how to deal with.
There are all sorts of issues surrounding the concept of setting up and
maintaining a genuinely useful distributed directory. Connectivity is a big
problem: in my experience the reason the Internet X.500 pilot doesn't work too
well is because so few of the DSAs are actually online at any given point. But
this is just transient stuff -- structural differences in directory schema can
cause *big* problems that are anything but transient.
Ned
P.S. I'm aware that I'm glossing over all sorts of security concerns here.
We're having enough trouble getting a directory deployed without worrying about
whether or not the information in it is trustworthy.