crocker(_at_)tis(_dot_)com (Stephen D Crocker) writes:
Under what circumstances do I know when you are
referring to the same entity (person) with only a variant of the
representation of the value of that attribute, and when are you
referring to a distinct entity?
It strikes me that this is, in fact, a specific example of the general
problem of identity establishment. Even in the real world there is no
definitive way of establishing identity, only a continuum of methods which
provide a corresponding range of assurance. PEM certificates (at least from
high-assurance PCAs) seem to be an attempt to provide an assurance which is
roughly equivalent to common modern forms of ID which carry some amount of
legal weight: driver's licenses, passports, business cards, signatures, and
the like. This, I would guess, is why DNs commonly contain the same kind of
information: mailing addresses, titles, email addresses, and so on.
However, there is, in the end, just as much ambiguity in a DN as there is in
a conventional form of ID. You can assume that an identity has been
established when the set of attributes presented matches your expections
sufficiently well, but there's nothing inherent in the presentation which
can guarantee a match unless you have a corresponding expectation.
Amanda Walker
InterCon Systems Corporation