-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,kmVMFNxj7eY7Mhk4Vi2BslGMi8zJR1K1UJSbjAbQd56
WDAHD8YbzaBEuzHabbCjIbz9tk/ZyuWznCr0k4nvim13vP2iEi3L4aQlAKXExGmq
0oK6jePvWoHrRQB8MHveE
Bob,
Paul and I have been interacting a bit on this point, so let me
attempt to clarify the issue, at least as I see it.
First, I prefer not to speak in terms of "directories." Certificates
are based on distinguished names. Distinguished names are lists of
sets of AVAs. There is a somewhat complicated set of rules for
determining when two representations of a distinguished name are
equivalent. At issue in this thread is the "syntax" of values of
attributes. The "syntax" -- that's a very poor term for the concept
involved here! -- is a rule that defines an equivalence class of
values. For example, CaseIgnore determines that two strings that
differ only in capitalization are equivalent.
The issue at hand is what to do with attributes with unknown syntax.
If you create a certificate and include an OID in the subject's dname
that I've never seen, I don't know what to do with the next dname that
has the same OID. Under what circumstances do I know when you are
referring to the same entity (person) with only a variant of the
representation of the value of that attribute, and when are you
referring to a distinct entity?
I don't have any compelling examples to illustrate the issue; all of
the examples are admittedly artificial. But the issue here is
mathematical precision of the design, and it's strange and annoying
that there should be any confusion on this matter at all. But I
confess I haven't got a clue as to why the notion of "syntax" was
included in the definition of values in the first place.
Steve
-----END PRIVACY-ENHANCED MESSAGE-----