Bob,
In your note to Joe about DNs, and in some subsequet messages,
I think we may be loosing sight of what we are trying to do with DNs
and certificates. First, remember that DNs are NOT addresses for use
in routing email or other applications. The directory system has
other attributes for addressing.
In our discussions, sometimes you have expressed a strong
desire that DNs incorporate information that would enable a user to
physically locate a correspondant (organization or person) based on
information in a certificate. I thought the resolution of these
discussions was that ultimately, we would expect the PCA under which
the correspondent was certified, to provide the necessary records for
physically locating the correspondents. I think the primary emphasis
on selecting a DN, within the constraints of a directory schema, is
that we convey a name that is "meaningfully descriptive."
A single DN may not be meaningfull to all correspondents in
all contexts. Thus the DN of a user in his work environment is
meaningful for correspondents who relate to him in the work context.
The same person has a different DN as a residential person, which is
appropriate for correpsondence with other users and organizations that
relate to him as a resident. Formal messages are directed not to
individuals, but rather to roles, so residential DNs are not
appropriate in this context. The question for military personnel is
how do their correspondents relate to them inter-personnel messages.
An organizational DN for an individuals (not a role) is still an
option here. One might address email to the individual based on his
military unit, without regard to the current geographic location of
the unit. I don't really know what is most appropriate here, and
residential DNs may be an option too, but I just wanted to suggest
that we not assume that residential DNs are necessary for these folks.
Steve