Steve,
I think I understand what Marshall was saying now. He isn't talking
about PEM at all. He is talking about the NADF and whether they
will allow certificates with names disjoint from the entry to
exist in the Directory.
Can you name an application (present or future) which would
use these disjoint certificates and DNs ? I note that supplying
aliases in the DIT would preempt my objections, but I wonder if
there exists some other mechanism which would allow one to
perform Directory lookups ? i.e. Is there a way to construct
a certificatePath (and associated CRLs) when the entry DNs are
disjoint from the certificate DNs ?
Please note that Marshall's observation:
2. The issuer (CA) field of a PKC needn't correspond to a entry in the
DIT. However, this may be useful as that entry might contain an
objectClass attribute value of certificationAuthority, which indicates
that the CA's entry contains information such as a PKC revocation
list.
isn't strong enough. The "useful"ness of a one to one mapping
of DNs not only allows one to extract the CRL but to extract
the issuer's certificate and so recursively along the chain.
This is true for _every_ application which uses certificates
that I am aware of.
John