pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AVA's in DN's

1993-08-16 12:20:00
from [Steve Kent] [Permanent Link] 
Tom,

        I'll respond primarily to the parts of your message that
comment on my earlier message, plus a couple of generic directory
issues:

        - You can search a directory using any of the attribues in an
entry so long as the attributes are not explicitly declared not
searchable.  However, the directoru should be thought of as a
hierarchil database indexed primarily by Distinguished attributes, so
a serach  based on other attributes may be quite slow.

        - One cannot construct just any DN and have the resulting
entry live in a directlry.  The entry must fit into the schema for the
directory, i.e.,  it must belong to object classes, and the
definitions of those object classes are the purview of the directory
administrator, not you as a subscriber.

        - CAs ARE a permanent aspect of the certification system!  The
directory specs define them and make provisions for attributes
specific to them (based on object class defintions), e.g., CRLs.  CAs
ARE NOT a transient artifact of PEM!

        - You really have to read the other parts of X.500, not just
509 and 520, to understand what a distinguished name is and why some
attributes make sense as distinguished attributes and others do not.
Just because an attribute could used used to "distinguish" one entry
from another that does not make an attribute a reasonable candidate
for a DN.  As someone else has mentioned, the heavy duty discussions
of DNs takes place on other lists and it might make sense for those
interested in coming up to speed on the subtlties of the topic to read
some of the archives from those lists, or to do more extensive reading
on X.500.

        - Again, with regard to why the role occupant attribute is not
appropriate for a DN, there is more to this than just the question of
whether adding another attribute would "distinguish" one entry from
another.

        - One more time, think of DNs as the principle search keys for
entries in the directory database (DIB).  It seems far fetched, to me,
to use a characterization of assurance level as a primary search key.


        - It is not the case that "most" PEM and CA software will
constrain users and CAs to have at most one AVA pair in an RDN.  That
was a characteristic of some early TIS software, but it has not been
the case for software that BBN has developed and I think several PEM
developers have said that their software does/will have the ability to
support this form of DN.


Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Assertions About Attributes, jueneman%wotan
Next by Date:  Re: Re[2]: NULL - OPTIONAL?, Paul C. Clark
Previous by Thread:  Re: AVA's in DN's, Ned Freed
Next by Thread:  Cross-mailing list info on X500 usage., p . churchyard
Indexes:  [Date] [Thread] [Top] [All Lists]