Bob,
You stated that you didn't understand why DNs were present in
X.509 certificates:
Finally, no one has yet advanced a compelling argument as to why
the most useful content of the X.509 has to be in Distinguished Name format
in any case, nor what the correlation should be between that DN and the DN
(any DN) in the X.500 directory itself. No other X.500 attribute that I am
aware
of contains a DN itself (except for the obvious cases of aliases and seeAlsos,
etc.), so this seems rather strange.
The reason is to allow searching. Don't you understand that the
Directory is a mailer's, and particularly a secure mailer's best friend
?
Here is the vision, the architecture, what is desired as opposed
to what is available ...
1) All mail recipients are addressed solely by their DN except
when all other means of contact have failed. The MTA
performs directory lookups to find the ORAddress. Distributions
lists consist of a single DN.
a) I can now change my ORAddress when I need to, even
for the weekend or vacation period so that mail can
be sent to my location or secretary.
b) I can change affiliation (BBN to GTE for example) and not
change my DN but only my ORAddress.
2) All my public key certificates are present in my Directory entry.
These include my SDNS, Mosaic, PEM, and foomail certificates.
Anyone who needs to communicate with me securely can find
a certificate to match their needs.
3) Anyone needing to, can VALIDATE my certificates because since the
DN of the CAs was used in the X.509 certificates, they can
obtain
the necessary certificate and associated CRL from the CA's
directory
entry.
4) Those desiring to can also fetch and validate any AUTHORIZATION
information and validate that information because they have
my DN. (a la X9.30 perhaps) Note that X9.30 also uses DNs ...
5) Since the Directory is global, anyone on the planet can fetch
my certificate and engage in secure communication with me.
Do you have ANYTHING, implemented or architected, which will give me
the functionality described above ?
John Lowry