I have been experimenting with X.500 since 88 -- in fact, followed the
development since 86. The assumption that one can painlessly introduce new
"attribute types" is just false: there is pain, and the pain has been obvious
since the very early experimentations.
I have to agree with Christian here.
Both Christian and I have been involved in the ``PASSWORD'' X.509 pilot
project, and one of the major lessons learnt by this project is that
it is essential to be able to deploy a new technology one host at a time.
Security extensions to X.400(88) were a complete failure
because to make any use of it all you have to upgrade your entire
messaging infrastructure (MTAs and Message Stores must understand the
security extensions). In a real network (as opposed to a test network or
a small closed user group) this is effectively impossible to do.
PEM, on the other hand, was a great success because you can start to use it
as soon as you have two users with PEM user agents.
This experience would make me very doubtful of any other proposal that
requires global changes to the infrastructure, rather than just local changes
to user agents.
Adding a new naming attribute would require all DSAs to be upgraded. It is
likely that we would never, ever get to a state where all DSAs in the world
knew about the new naming attribute; there would always be a broken host
somewhere on the net that hadn't been upgraded. Errors of the form ``Your
certificate got trashed because some DSA you've never heard of didn't like
the new attribute'' would most likely never go away.
PEM was designed around some very pessimistic assumptions about the possibility
of upgrading the Internet. X.400(88) was based on much optimism. The PEM
designers were right. The ``end-to-end argument'' wins again.
Mike