Ella,
As I haven't seen your name until recently, I'll assume that you
probably haven't been slogging through all the megabytes on some
of these issues.
I guess you're trying to include descriptive
information in the Directory name which will be in the certificate. You
seem to be assuming that there will be no directory service available.
Yes and no. Yes, I am assuming that an X.500 directory service will be
available, and no, I am not assuming that it will be ubiquitous for at
least another 20 years or so. (Look how long it took for DTMF to reach
80% of all homes.)
In addition, regardless of whether there is a directory or not, the X.509
certificate that is used to authenticate a digital signature has to contain
a sufficient amount of information as to support that validation, and that
has to be captured as of the (approximate) time the message or document
was signed. I'm sure that you understand this requirement, for DMS is required
to support "official" record traffic which can direct the flow of money, cause
troops
to go to war, and lots of other interesting things that might eventually have
to
be audited.
Unfortunately, IMHO (others may and often have disagreed), the X.509
certificate as presently defined provides no useful way to capture meaningful
attributes other than by forcing them into the Distinguished Name. Some
might argue that if one of the attributes, e.g., Serial, might sometime be
necessary in order to absolutely guarantee global uniqueness, then it should
in fact be part of the DN. Others might not agree.
In any case, what we are currently trying to do is force a confluence
between naming schemes, including other relevant information as necessary
for digital signature support, and the current plans for deploying X.500
directories that may not have the same objectives or priorities, or even
the same players. The result is about like two glaciers grinding together.
Are you confusing naming with routing?
No, I hope not. But if you name something with a locality of Ft. Hauchuca,
and then route it to Bremerhaven, I think a whole lot of people are going to
become very confused. DMS ain't none of my business anymore -- I gave up
on trying to work in that arena about three years ago. However, I am aware that
Defense Logistics Agency interfaces with some 100,000 vendors, approximately
80% of which are small, 8-A companies who will in all probability follow more
commercial standards. Even though DMS is going to use the Tessera card
with it own custom algorithm, etc., etc., there will eventually have to be
interoperability between DMS and the Internet, the Internet and X.400, etc.
At that point we arrive at a pressing need for a global public-key
infrastructure
which embraces ALL of the needs.
Thanks for the information on FIPS PUB 5-2. It sounds like there might be a
little disconnect between the Post Office and Dept. of Commerce? I'll have
to research it further.
Bob