I suppose I could be assigned a DN of
C=US,O=Internet, OU=BUNNY.GTE.COM,CN=rrj0.
CN=rrj0,dc=bunny,dc=gte,dc=com,o=Internet
But as Jeff Schiller said once, "it just might
work, but it would be wrong!", at least from
the standpoint of any PCA that would represent
itself as having any type of high assurance
policy.
I would imagine that a high assurance PCA would want to know a bit more
about a organization it was about to sign a CA certificate for than its
'whois' entry.
It wouldn't mind, for example, if the TIS-PCA were
to adopt this approach for casual email, including
privacy and semi-authentication.
I was looking for a solution which would not break the existing protocols,
would be scalable, and would support organizations and individuals who:
did not have an X.500 listing under a country
could not easily get an X.500 [listing|registration]
did have a DNS assignment
and wished to take advantage of PEM.
On the other hand, such an approach might represent
a useful halfway step between the completely
anonymous Persona PCA and the RSA Commercial
Hierarchy.
Perhaps one or more of the Internet service providers might become PCAs, and
when foo.com requested a network connection might for slight additional cost
also sign their CA.
-------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium