From: Steve Kent
While I sympathize with your desire to use PEM for a wide
range of good stuff, I wholeheartedly disagree with your conclusion
that a disclaimer must be embedded into a certificate to make this
work.
I agree that it would be much preferable to put disclaimer statements and
such into the PCA policy.
It is pretty clear that a disclaimer attribute is completely out of
whack with the semantics of a DN, when viewed in the context of X.500.
For those users who _require_ that there be a disclaimer in their certificate,
they could define the last RDN component of their name as a multi-valued RDN,
containing their commonName attribute, a uniqueIdentifier or similar in lieu
of 1993 certificates, and the disclaimer|description attribute. It's not as
ugly as making each of them a separate RDN.
Would there be a problem in current PEM implementations with multi-valued RDNs,
in particular for the situations when the last component is a commonName +
uniqueIdentifier? (This is the Pilot attribute, not the X.509(93) certificate
subjectUniqueIdentifier.)
-------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium