From: Mark Wahl <M(_dot_)Wahl(_at_)isode(_dot_)com>
I am not in favor of breaking support of X.509-style certificates at this
stage, if it is possible to map DNS names onto a portion of the X.500 DIT,
From: D F Sadok <D(_dot_)HadjSadok(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>
The PEM implementation from UCL uses this type of mapping but this does
not work all the time! what happens if you decide to have lower CAs
under dc=bar, dc=com, o=Internet within "bar.com"!
I don't see what problem with use of o=Internet you are describing.
The CA "dc=bar, dc=com, o=Internet" <bar.com> can sign the CA
"dc=sales,dc=bar,dc=com,o=Internet" <sales.bar.com> can sign the user
"dc=alice,dc=sales,dc=bar,dc=com,o=Internet"
<alice(_at_)sales(_dot_)bar(_dot_)com>.
And one can have CAs under "dc=sales, ..." signed by the sales CA.
I was supposing that a proposal to replace DNs in certificates with 822
addresses would cause the DN subordination requirement to become the domain
name subordination requirement.
RFC 1422 3.4.2.4: "Certificates issued by CAs (for use with PEM) will be for
users or for other CAs, either of which must have DNs subordinate to that of
the issuing CA."
In what situation would the o=Internet approach not work, but another method
would, while still retaining the same naming semantics?
[Although, in many situations I don't think the subordination rule is the best
solution...]
-------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium