Bob J. -- The Postal Service has very well developed conventions for
addressing mail to all sorts of transient folks, as well as statutes and
regulations for determining how to deliver mail to prisoners, hospital
patients, rooming house boarders, hotel guests, university students, and, of
course, service people. I wonder if that is really relevant, however, to
the issue before you. Are you really advocating a physical
address system for electronic certificates modeled on postal conventions?
P.S. By the way, part of the purpose of the APO/FPO system is to obscure
the destination of mail pieces, for the obvious reasons.
Joe Wackerman
Let me introduce you to the pem-dev community. Joe Wackerman is a lawyer for
the US Postal Service who has been working with the ABA group on
Nonredudiation and Notarization, along with people like Frank Sudia and Richard
Ankney
(active in X9F1), Hoyt Kesterson (X.500/X.509), George Parsons (RSA), and most
recently Sead Muftic (COST) and Steve Kent.
Joe, I don't know whether you have been able to read all of the pem-dev material
over the last month or more, but as part of the ABA agenda and as an attempt
to fill in the blanks as to how one would really operate a PEM system, I have
been
trying to codify a reasonably complete set of examples and underlying philosophy
(if that's not too pretentious a term) for naming conventions for a public-key
intrastructure which would support PEM, X.400, and other such systems, with
the primary focus on applications for electronic commerce and digital
signatures. I hope
to present it in at least rough form at the meeting next week, incorporate
comments and
changes, post it for comments within the PEM community, and probably take it to
the
NADF meeting in February for further comments and criticism. Then, if it seems
worthwhile,
we might turn it into an RFC.
In a get together after the last meeting, Steve , Hoyt, Sead, and I came to a
reasonably
clear common understanding of the issues involved in naming for organizational
persons.
More recently we have been wrestling with the issues involved in creating X.500
distinguished names for residential persons, and trying to provide PCAs and CAs
some guidance as to what these names should look like.
We have still not quite come to closure on the issue of name subordination in
the
case of a residential person, but I believe that over the last week I have laid
out
a reasonable scheme for most of the other naming conventions. (I'll be happy to
FAX or resend those messages to you, if you didn't get them, or you can
retrieve
them from the PEM archives.)
Particularly in the case of the residential person, we cannot count on full
time access
to electronic mail systems. The user may frequently be using dial-up access to
CompuServe or a similar system. But he or she may want to use PEM for privacy,
and may ultimately want to sign their income tax returns, order merchandise,
etc.,
using the digital signature technology.
Assuming that we want to have a reasonably high assurance system for such
purposes,
the question becomes one of ensuring global uniqueness on the one hand, and
providing
a reasonable amount of specificity in terms of the identification and location
information
to be included in the certificate. We understand that an identification
certificate such
as the current X.509 certificate does not explicitly empower or authorize the
user to
do anything, nor does it explicitly authorize anyone else to something on
behalf of that
user. We understand that it may still be necessary to check credit information,
etc.,
before committing to a high-value transaction. But I think that most of us at
least hope
that a decent digital signature certificate should be at least as good as a
driver's
license, and when presented with either a check or a credit card authorization
(in either physical or electronic form), that should be sufficient for a broad
range of
routine commercial transactions.
Because we don't want to needless exclude any segment of society from having
such
options available to them (except possibly for people in jail or in prison), it
is necessary
to have means of specifying their address information, and I was trying to make
sure
that we had covered all of the cases that we could think of. In particular, I
want to be
reasonably sure that the Postal Addressing attribute types specified in X.520
are
sufficient for our purposes, and to identity a subset of those attributes that
a PEM
implementation should reasonably be expected to support. During this process I
identified
three new states and the postalCode attribute that I hadn't previously
considered or heard
anyone else mention, so I guess the effort was worthwhile.
So yes, in the absence of anything better, I am suggesting that we follow the
guidance
of the Post Office in dealing with transients, patients, boarders, guests,
students, service
personnel, and the like. I guess my underlying assumption is that if the
mailman (sorry,
mail carrier-person) can find someone, then so can the sheriff, and that is
sufficient
for my purpose.
Can I ask you to look over the regulations you mentioned and provide some
good examples? I was also going to ask you to review the RFD rules, and furnish
examples of how to address people living in the rural areas, away from named
streets
and house numbers.
Bob