I am in favour of such a certificate structure, then we won't have
to worry about how to map an address to a DN, where to get it from,
what DN to use,...
I am not in favor of breaking support of X.509-style certificates at this
stage, if it is possible to map DNS names onto a portion of the X.500 DIT,
such that organizations which would rather use registered DN in existing
X.509 certificates than DNS names with PEM may.
RFC1279 as modified by RFC1384 (for "o=Internet") could provide the
DistinguishedNames for entities which have a DNS 'registration' but not a
registration in a DMD.
Mappings for newly-listed sites could be algorithmic.
For example, an organization "bar.com" which wished to become a CA could
perhaps be listed as
dc=bar, dc=com, o=Internet [(_at_)o=Internet@dc=com(_at_)dc=bar]
A user "joe(_at_)foo(_dot_)bar(_dot_)com" would be listed as
dc=joe, dc=foo, dc=bar, dc=com, o=Internet
If in the future bar.com was [registered|listed] with an X.500 name of
o=Bar Incorporated, c=US
there could be an alias from its "dc=bar,dc=com,o=Internet" to its new name.
Note that I am not advocating in this message, however:
restricting DNs usable with PEM to those based on DNS
components, or requiring storage of PEM certificates in DNS
as I don't see the need to alienate organizations which wish to support X.500
as well as PEM.
-------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium