pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: email addresses, pull validation model, ...

1994-03-18 01:46:00
from [Christian Huitema] [Permanent Link] 
=> 
=> Since the first time I thought about 'CertId' concept, I realized that
=> it had to contain information about certification hierarchy, so that
=> we can separate certification from naming hierarchy. I think that
=> X.500 DNs should be used for naming objects. The primary function of a
=> name (X.500 distinguished name or Internet domain name) is to
=> unambiguously and uniquely identify an object (person, machine,
=> application, etc.). It's my opinion that try to adapt names (mostly
=> DNs) because a certification need is not the way. For instance, there
=> exist situations where strict name subordination is natural, but
=> others do not, etc.
=> 

I would like to challenge this assumption, and propose a different paradigm,
i.e.

        THERE IS NO SUCH THING AS A NAME

In fact, it is quite easy to prove this paradigm by a reduction ad absurdio.
Given any set of symbols proposed as "your name", you can prove that it is
either ambiguous (there are probably many "Christian Huitema" in the world),
or subject to change (huitema(_at_)sophia(_dot_)inria(_dot_)fr may be a 
temporary mailbox) or
only reflects one facet of your identity (<huitema, sophia, inria, fr> versus
<Huitema, Antibes, France> versus <Huitema, IAB, Internet Society>).

Know, when you admit that, you may ask the next question. What is the purpose
of certification? I pretend that the goal is *not* to assert your name, but to
assert that the certified object possess some "attributes" that grant some
priviledge, or some function. When you are receiving mail, you want to be sure
of the qualification of the mail sender. When you are sending mail, you want
to be sure that you are accessing the correct destination. When you are
granting access to a document in a file server, you want to be sure that the
person is a member of the correct group. Hence the second paradigm:

        A CERTIFICATE IS A PROOF OF QUALIFICATION

Which mean indeed that one person should have many of them. Like one for
mailbox attachment, one for bank account, one for group X membership, etc.

Christian Huitema
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  New block mode of operation, peace
Next by Date:  Re: New block mode of operation, Ed Switalski
Previous by Thread:  email addresses, pull validation model, ..., Francisco Jordan
Next by Thread:  Re: email addresses, pull validation model, ..., Francisco Jordan
Indexes:  [Date] [Thread] [Top] [All Lists]