John,
The X.500 naming schema is important. PEM was not developed, nor were
X.509 certificates and the PEM naming rules developed in a vacuum.
The suggested DIT was considered and, I would argue, adopted as
specified. PEM restricts itself to attributes which are part of
object classes which are specified in X.520 and suggests a naming
schema compliant with the suggested DIT precisely so that it can
take advantage of the Directory.
My current understanding is that the naming rules were deleted from the RFCs,
and that the IANA has not yet specified which attributes are
required/allowed/not
allowed. I believe that the directory schema falls into the same category, and
I do not sense that there is any firm concensus as yet on many of these issues
among the NADF members, who are just starting to work on Yellow Pages
and are far from supporting EDI or more general applications (including PEM).
I'm not suggesting that PEM, X.509, or the PEM naming rules (if any) were
created in a vacuum. But after five or more years of effort devoted to trying
to understand the business issues involved in object naming, I would hate to
conclude that Moses brought down those rules in the form of stone tablets
from On High.
I am suggesting that there is some room for movement within both PEM and the
evolving directory support services, and that a degree of harmonization will be
required.
From a pragmatic standpoint, I don't think that it is reasonable for PEM to
have to swallow the existing X.520 attributes as the be-all-and-end-all.
Certainly the X.500 people recognized this when they put the X.400 attribute set
in the X.400 document, not in X.520.
I feel that as we come to a concensus as to what is really required for PEM,
we should have the same rights (and responsibilities).
As a practical matter, it is not trivial to change a DIT in any
DSA implementation I have seen. Typically it requires that
a new DSA be built and the information from the old database
be copied. (Try changing the size of your Unix root partition
and you will see what I mean).
You may have a point here, although I haven't enough experience with
different DSAs to confirm this from the standpoint of directory DNs.
Consequently I conclude that PEM can define attributes to support
whatever functionality it requires, but cannot realistically expect
these attributes to be adopted as distinguished naming components.
Many, if not most of the attributes that we have been discussing are not
NEEDED within the DN of the certificate, much less that of the DN of
the user in the directory. But until we can revise (or abandon) the current
X.509 structure which doesn't allow for any additional attributes except
by adding them to the DN, what choice do we have?
Bob