>From: Mark Wahl <M(_dot_)Wahl(_at_)com(_dot_)isode>
>Subject: Re: The relationship between an entry and a real-world object
>Date: Thu, 19 Aug 1993 12:32:26 +0100
>
>>I am in favour of such a certificate structure, then we won't have
>>to worry about how to map an address to a DN, where to get it from,
>>what DN to use,...
>
>I am not in favor of breaking support of X.509-style certificates at this
>stage, if it is possible to map DNS names onto a portion of the X.500 DIT,
>such that organizations which would rather use registered DN in existing
>X.509 certificates than DNS names with PEM may.
>
>RFC1279 as modified by RFC1384 (for "o=Internet") could provide the
>DistinguishedNames for entities which have a DNS 'registration' but not a
>registration in a DMD.
>
>Mappings for newly-listed sites could be algorithmic.
>For example, an organization "bar.com" which wished to become a CA could
>perhaps be listed as
>dc=bar, dc=com, o=Internet [(_at_)o=Internet@dc=com(_at_)dc=bar]
>
>A user "joe(_at_)foo(_dot_)bar(_dot_)com" would be listed as
>dc=joe, dc=foo, dc=bar, dc=com, o=Internet
>
The PEM implementation from UCL uses this type of mapping but this does
not work all the time! what happens if you decide to have lower CAs
under dc=bar, dc=com, o=Internet within "bar.com"!
Jamel