-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMRQwEgYDVQQLEwt
Mb3MgQW5nZWxlcw==,08
MIC-Info: RSA-MD5,RSA,gProAKwE92xKB3oWHeOpNC7InAkt+6v3/LJSlo2Q7n2
evGcfrMIi015MbMaCDUJ2nhbu8SQNCKlL5WW1NGYDxme5yOuu1mf8XCFSfSSlObN
0PvLZHlbryjs2gFeMqbDp
I heartily second Mr. Jueneman's proposal to use "Teletex string" for "names
in X.500 directories, including Distinguished Names included within X.509
certificates."
I'm jumping into this conversation in the middle, so let me introduce myself.
My name is Jeff Cook, I work for Trusted Information Systems, and one of my
responsibilities is developing PEM *applications*. I have developed several
pieces of software based on the "Privacy Enhanced Mail Based Servers" concept
(PEM extensions to Mail Based Servers). I also use PEM in almost all of my
everyday e-mail transactions, by default.
Two of the most annoying problems I have with PEM are (a) the decoupling of
e-mail addresses and distinguished names/certificates and (b) the ungainly
certificate sharing/hierarchy mechanism. Mr. Jueneman's proposal has the
potential of solving (a), more on (b) in future messages.
If the "Teletex string" proposal is adopted, then the distinguished naming
scheme can remain as it is (no need for a structured dname->emailaddr
translation), and sites that register users with PEM can *mandate* that the
Common Name component include the e-mail address of the registered user,
i.e., for myself I would like the string:
Jeffrey V. Cook <jvc(_at_)la(_dot_)tis(_dot_)com>
as my Common Name. (I know this is not a new proposal, I think Steve Crocker
may have put it forth in the past, but here I am giving my public support
to this scenario.) This string looks just like an e-mail signature, lends
itself easily to automated processing, and uniquely identifies me. In fact,
this string is *exactly* what PGP recommends you use as your "User ID" to
uniquely identify your public/private key pair.
Use of Common Names containing e-mail addresses creates hard links between
e-mail addresses and dnames/certificates, and solves many of the usability
and user-interface problems with PEM. Site-wide databases of e-mail address
=> certificate mappings may then be kept, eliminating the per-user PEM alias
databases that have disgusted and turned away so many first-time PEM users.
This feature would also make certificate responders easier to construct.
My 2 cents for now...Jeff
+------------------------------------------------------------------------+
| Jeff Cook (jvc(_at_)la(_dot_)tis(_dot_)com) | For my PEM
certificate/public key, |
| Trusted Information Systems, Inc. | send me an e-mail message with |
| | Subject: PEM certificate request |
| Phone: 310.477.5828 | |
| FAX: 310.477.1998 | For info on TIS/PEM send e-mail |
| | to tispem-info(_at_)tis(_dot_)com
|
+------------------------------------------------------------------------+
-----END PRIVACY-ENHANCED MESSAGE-----