Steve> - One cannot construct just any DN and have the resulting entry
live in a directory. The entry must fit into the schema for the
directory, i.e., it must belong to object classes, and the definitions
of those object classes are the purview of the directory administrator,
not you as a subscriber.
I guess then I am just too much of an capitalist to ever believe any of
this stuff about rigid rules for X.500 directories. If I have a name in
a directory or in a CA, and some new directory server tells me, the
customer, that I must change my name to accommodate his particular weird
rules, all I will think is just how I should tell him where his
directory should be placed?
- -
Steve> - CAs ARE a permanent aspect of the certification system! The
directory specs define them and make provisions for attributes specific
to them (based on object class definitions), e.g., CRLs. CAs ARE NOT a
transient artifact of PEM!
You must try to read messages a little better before you respond to
them. My comment was about the CA hierarchy. Now tell me - was it the
intent that the trust hierarchy rooted in the IPRA was required if X.500
directories already were in place?
- -
Steve> - You really have to read the other parts of X.500, not just 509
and 520, to understand what a distinguished name is and why some
attributes make sense as distinguished attributes and others do not.
Just because an attribute could used used to "distinguish" one entry
from another that does not make an attribute a reasonable candidate for
a DN. As someone else has mentioned, the heavy duty discussions of DNs
takes place on other lists and it might make sense for those interested
in coming up to speed on the subtleties of the topic to read some of the
archives from those lists, or to do more extensive reading on X.500.
For better, or for worse, PEM has a default definition of a DN, it is
that thing which I must have in order to have a public key certificate.
There is no other reason for me to get a DN. It may be that X.500 was
standardized prior to PEM, but PEM is here and X.500 is not, so lets get
real. By the way just what are those other mailing lists?? -- the
person who mentioned them before suddenly can't think of any!
- -
Steve> - Again, with regard to why the role occupant attribute is not
appropriate for a DN, there is more to this than just the question of
whether adding another attribute would "distinguish" one entry from
another.
Again, if the DN does not distinguish one place where I may send
messages from another, it isn't much of a directory.
- -
Steve> - One more time, think of DNs as the principle search keys for
entries in the directory database (DIB). It seems far fetched, to me,
to use a characterization of assurance level as a primary search key.
One more time, if the DN is the primary search key, it had better
distinguish between distinct entries. And you can be quite sure that
the level of assurance that I get in creating a private message will be
a consideration in where (which mail box) to send a message!
If you really believe that assurance level is far fetched, how can you
justify using PEM at all?
Peace ..Tom Jones