John,
I respect your intelligence, and at least now I know that you fully
understand the argument I have been making.
I am not a lawyer, and neither (I trust) are you. I am presenting this
argument based on the sum total of my discussions with legal
counsel in a number of different forums, and it represents my
layman's understanding of the law. I credit you (and many others)
with doing the same.
Of course even reasonable people, and reasonably informed
people, can and do disagree. Even the Supreme Court
is most often split -- unnanimous judgments are rare, especially
in cases that are complex or reach that level. So as Patrick
Henry (?) said, "I disagree with what you say, but I will defend
to the death your right to say it." (Well, maybe not QUITE that
far. :-)
Steve Dusse summed up the argument pretty well:
I believe that the effort you are making is worthy (as I have
indicated before). I don't think anyone is in total agreement as to
what a signature recipient's DEFAULT expectation will be and therefore
the exercise to set that DEFAULT=NO LIABILITY is well founded. Most
of the arguments I have heard against your effort fall into the
categories of;
1. I think you are wrong, the DEFAULT=NO LIABILITY is already the
case, wet signatures, blah blah blah...
-and-
2. Yuck. That's a terrible way to set the DEFAULT expectation.
The proponents of 1 shouldn't have any trouble with a solution, to them it
will be overkill. Pleasing the number 2 folks (myself among them)
will be difficult.
I agree with both of his statements. And note, by the way, that I was
really trying to get a disclaimer into the X.509 certificate, not into
the DN per se.
Finally, I am beginning to have some serious doubts as to whether
the X.509 certificate needs to have a DN at all. As someone else
said, all you really need is a unique public key -- everything else
can be pointed to by an alias of that key.
The question is what happens with a PEM user who is not connected to
an X.500 directory?