Steve,
From: Steve Kent <kent(_at_)bbn(_dot_)com>
To: Stephen D Crocker <crocker(_at_)tis(_dot_)com>
Cc: pem-dev(_at_)tis(_dot_)com
In-Reply-To: Your message of Sun, 13 Mar 94 08:16:33 -0500.
<9403131316(_dot_)AA05331(_at_)tis(_dot_)com>
Steve,
Your forwarded message with Mr. Bork's email address does
point out the limitations of any naming scheme, but I think it
supports, rather than undermines, the observations that have been made
about the relative descriptiveness of DNS addresses vs. DNs.
I don't know of anyone who claims that the typical DNS name is
more descriptive than the typical DN. It's just that DNS names
are usually easier for people to use, get right, remember, etc.
First, you noted that it took some digging to find out that
FRB.GOV was the federal Reserve Board. With a good DN this would have
been obvious.
I do not question that there are advantages to "good DN"s. The
question is does the goodness outweigh the costs.
I'm sure that to over 95% of the world's population "Federal Reserve
Board" is not the slightest bit more meaningful than frb. To figure
out what a name means, you need good information/directory/hypermedia.
Second, I note that "borkr" is the email address, but
Mr. Bork, appears to have felt that was not a very descriptive DNS
address, so he added his own expansion of it. Again, with a good DN,
the certified name would be more like the comment included with his
DNS address, not the DNS address itself.
So what? If it was an employment based certificate, Mr. Bork might
well include his home address, etc., as a comment and if it was a
residential certificate he might well include his work address, etc.,
as a comment. You might as well just let him include what he wants.
If you want some assurance of the truth of what he claims, then you
need statements signed by some entity you trust that vouches for these
claims. But the number and variety of such claims is likely to be a
much too voluminous to fit into any reasonable sort of single
"certificate".
Finally, yes, even with a reasonable DN, you can't tell if
this is the same Bork who was a Supreme Court nominee. It would be
reckless to assume that he was from this name, since the name would
only indicate that this Bork works for the Fed. I think it
unrealistic to expect any certified name to tell you everying about
the person, but this example also suggests that a well-formed DN would
have provided much more of the info that you either had to work to
find out or had to trust the commented form of the DNS address to
Anyone who really trusts the comments is being foolish. But there
will be foolish people and there will be comments and I don't see any
scheme eliminating the potential for some people to be mislead.
If you have to look elsewhere for information, you want a name that
helps you. The Domain name is the best index into the domain name
database. The email name is useful for looking into a number of
databases or fingering them or mailing their postmaster or a superior
domain name's postmaster, etc. If there ever really is a widespread
X.500 directory, one would expect to be able to efficiently query it
by email name (at least the designer of the data structre in the
hypothetical X.500 had better do that if they want people to use their
directory much). So what use are DNs? (Yes, I realize you could make
DNs that exactly or almost exactly maped to email addresses but we are
talking about this "civil naming authority" stuff for DNs.)
provide. The suggestion that one might jump to an unwarrented
conclusion based on knowing this information in a more assured
fashion, strikes me as a preety weak argument against DNs.
The argument against DNs is that they are grotesquely cumbersome
relics that few use and fewer want to use. DNS/email names are the
names that people use. They are unique. There are plenty of them to
go around. They have enough internal redundancy yet are compact
enough that they are reasonably easy to remember, write down, etc.
Steve
Donald