From: Stephen D Crocker <crocker(_at_)tis(_dot_)com>
To: pem-dev(_at_)tis(_dot_)com
For anyone who didn't wade through my last note responding to Bob
Jueneman's (jueneman(_at_)gte(_dot_)com) two messages, I'll repeat the main
idea
proposed in that note.
Proposed: Certificates be modified to provide two forms of
identification, the distinguished name (DN) as its presently defined,
*and* an email name (EN) directly usable as the network address
associated with the same entity.
If you are giving up on X.509 certificates, a good step in my mind,
seems like you should consider from the ground up what should be in
this new certificate spec, which, I assume, will be under IETF change
control.
Synopsis of argument: Both are needed. Attempts to make one or the
other the primary form lead to potential security flaws.
Including DNs in the certificate is only important if you believe that
DNs are important.
Steve
+-------------------------------------+-------------------------------+
| Steve Crocker | Voice: 301-854-6889 |
| Trusted Information Systems | FAX: 301-854-5363 |
| 3060 Washington Road (Route 97) |-------------------------------|
| Glenwood, MD 21738 | Internet: crocker(_at_)tis(_dot_)com
|
+-------------------------------------+-------------------------------+
Donald