Bahreman>I cannot agree any less strongly with Charlie's point of not using DNs
for authorization and other *things* except what it's there to
do--uniquely identifying an entity.
Also, in a nut shell, i think there are merits with not using the format
of the DN to guarantee its uniqueness. I would rather see a single DN
used for an entity throughout the world than multiple DNs all uniquely
pointing to that entity. The privacy problems of doing that, set aside!
The obvious problem is that we don't have an X.500 directory. The
"entity" that we are using the DN to name and perhaps describe is the
X.509 certificate, NOT the "individual" to whom it is issued, and
therein lies the problem. Because of some of the inflexibilities that we
are now stuck with, the use of multiple certificates for different purposes
(roles) by the same person is, IMHO, inevitable for the reasons that
I have so succinctly and tersely :-) described.
You seem to be saying that the DN should not be "distinguished,"
i.e., unique, but rather should just be a normal letterhead type of name
that lists the user's name and organization (postal mail address, basically).
Other means of qualification should be found to distinguish between
different certificates used for different things.
I might be inclined to agree with you there. But doesn't that lead to
throwing away the use of the X.509 certificate structure? That sure
would break a lot of eggs at this point.
BTW, I encourage you and Charlie and everyone else to come up with
alternative solutions to these problems, rather than just saying you
don't like or agree with one of my solutions and/or saying that the
problem I mentioned doesn't exist or isn't worth solving. I may be
wrong, of course, but I think they are real.
Bob