Russ,
Again, every DUA that uses strong authentication will encounter the new
attribute. If we are successful in deploying certificate-based key management
for PEM, then the Directory will very likely use the same technology for
authentication. I hope that the successful use of certificates in PEM will
l>ead to the use of certificates in other authentication applications. After
all, this is the reason why PEM adopted the X.509 certifcate format....
Certainly it was the intent of the X.500 folks to use X.509 for the purpose of
strong authentication of user access to control changes to the directory itself.
But after talking to Hoyt Kesterson, who speaks _ex cathedra_ on this subject,
I am not at all convinced that they have thought through all of those issues.
They haven't addressed the need to archive requests for changes or updates
to the directory, for example, and I strongly suspect that they will discover
that they
need something remarkable like authorization certificates to permit fine-grained
control over who can change what kinds of information, or even see certain kinds
of information in the directory.
Like you, I would certainly like to see a simple, common infrastructure that
could support a wide diversity of applications.
But X.509 does not meet that goal, and it therefore must either be changed or
abandoned.
Bob