True. I was mainly trying to be nice by pulling out the country name
in all the non-US cases, and wanted to be consistent with the handling of
the US domains as well. An equally reversible mapping would be obtained
by using "C=??, O=Internet" for all 2 letter top level domain names
(including "us") and just "O=Internet" for the others.
Rhys,
It is important to keep it simple. Trying to insert a fancy algorithm like
label DNS tokens sometime as country, sometimes as O, sometimes OU does not
work. Like, how do you label "ac" in "cs.ucl.ac.uk"? Or even "uk", for
that matter. Thus the idea to pick exactly one type for all tokens, and just
apply it.
Having an O=INTERNET sit on top of the hierarchy looks nice for the X.500
weenies but poses a lot of problems. To put it shortly, they will almost
certainly not accept to register it in the top level international X.500
servers, and you will be subject to endless debates such as why "INTERNET"
rather than "Internet Society" or why don't you locate the Internet Society
under its registration place, e.g. Washington, DC, US? All in all, we are
better off by not adding any unnecessary noise in the structure and do one of
the two followings:
1) Register a "domainComponent" OID - probably smtg shorter than the X.25
address of UCL,
2) subvert the X.509 certificate structure, e.g changing the name definition
from:
Name ::=
SEQUENCE OF
SET OF SEQUENCE {
att-type OBJECT IDENTIFIER,
att-value ANY DEFINED BY att-type}
to:
Name ::=
SEQUENCE OF
CHOICE {
x500classic SET OF SEQUENCE {
att-type OBJECT IDENTIFIER,
att-value ANY DEFINED BY att-type},
dnstoken IA5String }
In fact, I would tend to favour the second approach, for this is the one with
the smallest overhead and also the smallest insertion of "arbitrary
information".
Christian Huitema