>From: Mark Wahl <M(_dot_)Wahl(_at_)com(_dot_)isode>
>Subject: Re: The relationship between an entry and a real-world object
>Date: Thu, 19 Aug 1993 18:10:54 +0100
>>From: D F Sadok <D(_dot_)HadjSadok(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>
>>The PEM implementation from UCL uses this type of mapping but this does
>>not work all the time! what happens if you decide to have lower CAs
>>under dc=bar, dc=com, o=Internet within "bar.com"!
>
>I don't see what problem with use of o=Internet you are describing.
>
>The CA "dc=bar, dc=com, o=Internet" <bar.com> can sign the CA
>"dc=sales,dc=bar,dc=com,o=Internet" <sales.bar.com> can sign the user
>"dc=alice,dc=sales,dc=bar,dc=com,o=Internet"
<alice(_at_)sales(_dot_)bar(_dot_)com>.
>And one can have CAs under "dc=sales, ..." signed by the sales CA.
>
We had previously always understood that there would be no attempt
made to actually store the DNS registered local and domain components
of Domain Names in the DIT.
Is this now the proposition?
This is different to the current situation where a set of domainComponents
are stored within the existing internet naming architecture. The feasibility
using a DN/DM mapping depends on the congruence of the structures. This approach
suits ad-hoc searches for DN->DM->DN pairings. These are useful for
building SMTP UAs in which the UI to the user relies upon receipient
identification expressed as a mailbox address, rather than the Name, as
with the various X.400 user agents. Though, it breaks down as soon as
the naming assumptions differ from the registered DNS domain-name.
For example "cs.ucl.ac.uk" is mapped onto "c=gb,o=UCL,ou=cs"
of which "ou=cs" is a CA. Other CAs may be added further down.
Where do we get to know about these CAs unless they map the
domain tree in the first place?
In the current scheme subordinate unregistered domains need
to be supplied by the user and possibly conveyed by the MTS
in order to indentify such subordinate naming contexts.
That is, DNS domains are being invented for the purpose
of mapping names.
P&J