pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

civil names versus listed name

1994-02-04 23:07:00
from [Peter Williams] [Permanent Link] 

Marshall,

with reference to NADF SD-5, we know that a systematic
mechanism of naming civil entities exists; we also know
that such entities may choose to be listed not only
at various points of the civil naming tree, but also within
the private DITs operated by ADMDs. namingLinks shall
facilitate an intelligent DUA to reconstruct a complete
picture of the attributes which describe a given entity.

For PEM, lets say GTE information systems is providing
a listing service mapping DNs into certificates. Lets
pretend that those listing DNs do not follow the NADF
schema, as well might they not in reality, to make
the clear distinction of various uses of names being considered here.

Does the naming architecture of SD-5 conceive said
GTE-listed individual's entry's stored certificate
to have the DN of that entry, or that of
the civil (right-to- use name)? I assume the latter.

I see no reason why, for a user certificate issued
under PEM rules, why that certificate should not be
made accesible  using the services of an ADMD. just as
the intelligent DUA might follow numerous links to obtain
1) the authoritative DN/e-mail address  relation 2) phone
numbers 3) registry of favorite drinks, then so 4) it
might obtain competitively provided certificates.

As a user might be issued several certificate by different assurance
domains, where each authenticatioin domain might be served by a different 
directory
provider. Each of these listings will be required by a PEM-recipient,
in the worse case. However the search is not easy. PEM only indicates
the name of the issuer-CA, and a serial number of the certificate
issued. Even if PEM-UAs cache PEM-provided certificates, cached 
certificates get LRU flushed eventually.

Normally one can check all subordinates directory entries of issuer, in the 
worse
case to determine the subject DN. In the case where certificate are not
stored in the entry of the civil name, as is likely, there is no way to
determine the recipients's civil name, or  thereby the namingLink, and
or the certificate.

It seems that under NADF schema, a) certificates must be stored in the entry
whose DN is that of the certificate's subject, or b) PEM must
indicate the DN of the intended recipient, or c) the subject DN
is that of the listing location of the entry storing the certificate (ugh!).

X.700, X.400 and X.500 dont have the problem as the protocols carry
the entity identity (securely). Does the NADF schema impact on PEM
to perhaps do the sami, under the above argument?

Peter.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • civil names versus listed name, Peter Williams <=
Previous by Date:  Re: What we really use instead of X.400/X.500, Donald E. Eastlake 3rd (Beast)
Next by Date:  Re: CA Names, Amanda Walker
Previous by Thread:  Re: PEM-DEV message to you, resent, Marshall Rose
Next by Thread:  ABA Certification Authority Workgroup, Frank Sudia
Indexes:  [Date] [Thread] [Top] [All Lists]