Steve,
Two questions re your message to Paul Clark:
1. What is the schedule for bringing up the IPRA? Who is
responsible, and who will administer it?
2. Because there may be somewhat more PCAs formed than
we might have originally anticipated, shouldn't the DN name
conflict database format be published as an RFC?
I certainly agree with Paul that the deletion of ALL whitespace
would be quite undesirable. Presumably you meant all _redundant_
whitespace.
Paul>
In the absence of the IPRA database, a CA will need to properly compare
dnames to ensure uniqueness under the equivalence rules. Also,
during message processing a PEM implementation will be required
to properly retrieve/store certs from its local cache based upon
the originator/recipient-id fields. Since these fields should
probably not be assumed to be in canonical form, the implementation
will be required to canonicalize them.
I agree that a PEM implementation should probably canonicalize the
originator and recipient-id fields, just to take out blanks that might have
been inserted carelessly. I am not convinced that the PEM UA should
necessarily do anything more, such as offering the user a choice of
equivalence classes of similar certificates. Presumably the names were
extracted from the user's certificate in the first place, and therefore
should not have been modified.
(That does NOT mean that PEM shouldn't have a user-friendly interface
to allow the conversion of nicknames into both e-mail names AND
certificates, for this is a badly needed feature that probably can't wait
for an integrated X.500 solution.)
Given some of my examples, and our previous discussion of the aliasing
problem, do you have any further thoughts on what the relationship
should/must be between the DN in the certificate and one or more
DNs in the directory?
1. Exact match, including unknown OIDs?
2. CaseIgnoreString match of directory DN to certificate DN?
3. Subsets or supersets of string matches?
4. Not necessarily any correspondence at all, as in the case of aliases,
aka's, and dba's?
Bob