What if I didn't know that Judge Bork was a professor at Yale or a
resident of New Haven ? An authenticated X.500 name that had these
attributes in it would not mean anything to me.
I need to be able to equate the name in a certificate with the name
that I am most familiar with. Perhape I would appreciate X.500 names
in certficates more when the New York Times starts using X.500 DNs to
identify the people in its articles.
What I need are attribute certificates that securely map a DN to the
principal's alternate names, be they e-mail names or descriptive
textual attributes, or Bob's MPEG video. I would like these
certificates to be notarized by possibly different Attribute CAs,
because each A-CA would have authority over only some name spaces.
Given this, I can map a X.500 name into a name that I can recognize and
accept. A dream User-Agent would play the MPEG video on my screen
while I read my PEM message from Judge Bork.
I agree. A DN is intended to point to an entry which contains additional
attributes that could be used to resolve these issues, including additional
attribute certificates. But if we are trying to advance PEM without
also having to assume the ubiquitous availability of X.500, then we have to
have a place to put those additional attributes wihtin the certificate itself.
I hope that my recent lengthy message regarding X.509 certificate extension
will accomplish that goal, and would welcome your comments.
Bob