William,
I think you might find a lot of folks who wouldn't want their street address
as part of their DN for privacy reasons. Suppose I post to a controversial
group, someone is upset by the message and drives by my house and shoots out
some windows? We ran into a similiar debate when we thought about assigning
IP host names in dormitories. An obvious solution was to use a combination
room number for name and building name for domain. It was decided that this
was to great a risk of the students privacy (granted a host name is a lot
different from a DN).
This could probably be addressed by using some unique serial number in these
instances. We were forced to generate unique ids for our X.500 project for
the same reason.
The potential conflict between privacy and the disclosure of one's bona fides
in a digital signature certificate is one that has been wrestled with for four
or five
years, at least.
The context I was assuming was that of a medium to high assurance PCA,
notably that of the RSA Commercial Hierarchy, where the primary intent is to
use digital signatures for "commercial" purposes, whatever they might be.
Examples might be for filing your income tax return, ordering merchandise
as we currently do via credit card, carrying on business correspondence, etc.
In this context, my two major criteria are: 1) guaranteed global uniqueness of
the DN, and 2) sufficient specificity as to the whereabouts of the user so as to
allow for redress in the event the user attempts to renege on his
responsibilities.
Privacy of the user's address has to be secondary in this case, unless the CA
and/or
PCA agree to maintain records that are subject to subpoena -- a possibility that
is bound to become a hot issue in any case.)
Of course, this is certainly not the only possible domain of interest to users.
The Persona PCA was created to provide exactly the type of anonymity you
have discussed, and perhaps more, because in the Persona PCA any correspondence
between the user's DN and his "real" name is explicitly disavowed. All that you
are
guaranteed is that that no one will be able to impersonate a given user's
pseudonym.
Some people have dismissed users who chose to use the Persona PCA or CA as
being dressed in "clown suits." I don't think that is necessarily the case. If
you
chose to use your real name in a Persona certificate, you are free to do so.
You
may also include your town but not your street address, for example. On the
other
hand, you may expect that people that you correspond with may take you a little
less seriously than you might otherwise expect or intend, just because they
will not have the same degree of assurance as to who you really are.
I am not sure whether a different class of PCA needs to be created, but I would
have no problem in having a PCA whose policy required the user to use his
or her real name, but allowed the user to post an address consisting of an
Internet address PO box, an arbitrary serial number, or some other type of
more or less anonymous location information, in order to strike a different
kind of
balance between the two poles of personal privacy and responsibility for one's
actions.
It should be obvious that there has not yet been a shakeout in terms of the
commercial viability of the various potential and actual PCA service providers,
or of the various services that each may provide to their user community.
My personal suggestion would be that if you feel that the existing PCA service
providers have not established policies that fit your particular needs, that
you
explore forming a user's group of similarly-minded individuals and then
approach
various potential service providers with your requirements.
Although I would hate to see the creation of dozens of different PCAs, all with
slightly different policies, I also don't want to see the possibility of using
digital signatures for valid commercial purposes watered down by the (equally
valid, under some circumstances) concern for individual privacy. A
one-size-fits-all
Procrustean bed will clearly not suffice, but it is not yet clear exactly how
many
different PCA policies will be required.
Bob