Marshall,
Could you clarify something regarding Distinguished Names
for me? I am having difficulty understanding what appear to
be fundamental X.500 concepts.
Suppose that ATT, MCI, Sprint, the Post Office, Cellular One, and
GTE all decide to offer an X.500 directory service, and that a
number of customers sign up with each one. Let's assume
that antitrust provisions preclude these various organizations
from carving up the US into neat, non-overlapping territories,
either geopolitical or organizational. I.e., ATT doesn't get all
of the residential users in Alabama through Connecticut, and all
organizations beginning A though C.
1. If I am a customer of GTE's directory service, how does
someone who is a customer of ATT locate any information
about me, and vice versa? In particular, do I have to know and
include the name or OID of the Adminstrative Domain Directory
Management Domain (ADDMD) or the Private Directory
Management Domain (PRDMD) in the distinguished name in
order to find the rest of the relevant information? This is no
problem in the case where there is only one ADDMD per country,
or if an organization name is equivalent to at PRDMD. But if there
are multiple, competing organizations within a country without a
higher level name registration database, I don't understand how
to solve the problem.
2. Is any provision being made to merge the information
provided by various information providers (who may or may
not be directory service providers), so that if I wished
to I could get a user's local phone number from GTE, his
cellular number from Cellular One, his street address from the
Post Office, and his e-mail address from MCI-Mail? Or does the
user have to supply this information in order to make available a
consolidated listing?
3. X.509 certificates are intended to be used to provide strong
authentication of users, and presumably will control access to the
user's own information. But will the Directory providors allow
ANYONE's X.509 certificate, signed by God-knows-who,
to be used to authenticate that type of access? Does the
directory service provider have to issue X.509 certificates
as a CA to those users who want to control their own attributes (
listings?) Has anyone thought about the use of specific
attributes to be used to control whether a user can read or
write certain information?
4. What kind of interface is envisoned between the Certification
Authorities and the directory providers? I.e., how will X.509
certificates and CRLs be entered into the Directory for
distribution?
I don't know whether you have been a regular reader of pem-dev.
If you have been, then you probably understand the context of
these questions. If not, I would be happy to give you some more
background behind the issues that we are facing.
Thanks
Bob Jueneman
GTE Laboratories
617/466-2820