Ali,
I'm not suggesting that every piece of information that might ever be of some
use to anyone be placed in the certificate, or that the CA be required to vouch
for information that it doesn't consider important or within its purview.
But I believe there is some information that the CA might need to sign, but
which is not necessary in order to uniquely identity an entity and therefore
should not have to go in the DN, for I am assuming that might unnecessarily
complicate the X.500 search strategy.
Maybe I should ask anyone who is more familiar with the actual operation of
X.500 than I am, exactly how an X.509 certificate would be retrieved, and
what the correlation is between the DN that is used to do the searching and
the DN that is contained within the X.509 certificate itself.
Would we expect to find individual entries for each of the various roles that
an individual might play as DNs in the directory, with the certificate that
corresponds to that particular DN included along with a number of other
attributes such as postal address?
Or would we be more likely to find a single DN for the "individual"
(at least the organizational person, as opposed to the residential
person), together with an indexed array of associated attributes?
I'm displaying my ignorance, but if I were listed in an X.500 directory,
how would I inform my correspondents that I am Bob Jueneman,
and if you want to send me some email for purpose 1, use email
address A and certificate X, but if you want to send email for purpose
2, then use email address B and certificate Y, where A may or may not be
equal to B, and X may or may not be equal to Y? If we could do this, then
certain attributes which don't change as a function of roles would not have
to be replicated (perhaps). But there might still be an issue of who takes
the responsibility for the correctness of the entries in the directory if they
are
not signed by the CA (whcih could be the directory provider, of course).
Maybe Hoyt Kesterson could respond to this?
Bob
------------------------------------------------------
Bob writes:
I'm just trying to point out that there are many attributes that might
normally be
contained in the directory that would be nice to have available in a PEM-only
context, and that regardless of the context it would be nice to allow the CA
to sign
those attributes (such as employer's name and postal address) without requiring
everything to go into the DN.
You do realize that by adding to the information that the CA has to
sign, you are making its life more difficult since it now has to
verify the validity of all the additional information? Does the CA
even have the authority to verify all that information?
Also, what if that information changes? Do I need to get another
certificate signed by the CA everytime my office room number changes?
_______________________________________________________________________
Alireza Bahreman E-Mail:
bahreman(_at_)bellcore(_dot_)com
Bellcore, Room RRC-1K221 Phone : +1 908 699 7398
444 Hoes Lane, Piscataway, NJ 08854 Fax : +1 908 336 2943