pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

X.509 DN semantics

1993-11-09 16:56:00
from [Steve Kent] [Permanent Link] 

Bob,

First, the scope of certificates and DNs is broader than directory 
authentication, as X.509 clearly states.  X.400, MSP, and the work on 
authorization in ECMA and ISO are all based on use of X.509 
certificates.

Second, DNs are designed to uniquely and descriptively identify all 
entities in the directory. Since the range of such entities almost 
unbounded, the range of naming constructs is quite flexible.  The 
semantics associated with a name vary depending on the entity being 
named.  Object classes defined in X.520 provide for fairly 
straightforward semantics for residential persons, organizations, 
organizational persons, devices, etc.  However, it is easy to overload 
name semantics, to try to make authorization management or non-
repudiation, or some other security problem easier.  This is usually 
done at the expense of other naming features, because one focuses 
exclusively on solving a specific problem via this path.

As for, mailbox names, X.500 certainly understands that these are not 
the same, making explicit provisions for storage of mailbox names as 
attributes (but they are not envisioned as distinguished attributes) in 
directory entries.

Your extended discussion about the path you went down trying to 
determine the mailbox of a CA from a user's certificate is, in my 
opinion, an example of trying to distort the DN and certificate 
constructs to solve a problem that neither were intended to solve nor 
that they should be modified to solve.  Bob, please stop doing this!  
This is like criticizing the structure of phone numbers (and offering to 
"fix" them) because they can't be used to determine the social security 
number of the person.

In establishing the certification system, 1422 notes that it is intended 
to serve more than just PEM, even though PEM provides the initial focus 
for the development and deployment of the system.  If we take a purely 
commercial-PEM application view, we can modify certificates so that they 
solve various problems perceived by people trying to solve some 
problems, but probably at the expense generality.  I cannot be too 
enthusiastic about this approach.

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • X.509 DN semantics, Steve Kent <=
Previous by Date:  Re: CRLs Load with PCAs and CAs, Steve Kent
Next by Date:  Re: response to old mail, jueneman%wotan
Previous by Thread:  Algorithm IDs re, Steve Kent
Next by Thread:  Re: response to old mail, jueneman%wotan
Indexes:  [Date] [Thread] [Top] [All Lists]