Bob has made the following points:
5. My assumption would be that the DUNS number would essentially be
used as an >alias or pointer to the traditional civil naming structure
entry, where all of >the rest of the payload concerning that entity
would be found. However, this >would give rise to a certain issue of
trust. Clearly the normal Directory >Service Provider (DSP) is not
going to accept any responsibility for the >correctness of the DUNS
number and the various implications that go with it >(unless Dun and
Bradstreet becomes at DSP). So the alias between the DUNS >number and
the civil name entry cannot necessarily be trusted, at least to the
same extent that the D&B entry could be. Of course, the primary entry
could and >should contain a cross reference to the DUNS number, and the
two should be >compared, but still the DSP should probably not be
trusted in any meaningful >sense.
6. Instead, it would appear highly desirable for Dun and Bradstreet
(or any >other registration authority) to become a Certification
Authority, and to issue >X.509 certificates binding the name of a
company to their DUNS number, at >least. Whether they would want to
include other information (such as annual >sales, bond rating, etc.) in
that certificate remains to be seen. Whether this >kind of a
certificate should be a standard identity certificate or whether it
comes closer to an authorization certificate is not quite clear to me.
and later Bob said:
Efforts are underway within the NADF, the Internet, and the Paradise
project in >Europe to bring all of these disjoint directory systems
under the umbrella of >one common naming and knowledge tree, probably
making use of knowledge and >naming link sharing tools such as the
NADF's CAN tools, so that all ADDMDs and >any Private Directory
Management Domains that care to can have common access to >all of the
information in the public name space.
I will try to restate some of the points that I was making early on
naming authorities.
In EDI there is the concept of registration of naming authorities for a
wide variety of objects, including trading partner names. In the US
this registration is maintained by X12, with international sets of names
also available. These names are accepted in the community of interest
(ie EDI applications).
IMHO, it is a bad mistake for IETF or ITU or any other organization to
assume that they can create a singly rooted tree for all names that are
ever likely to exist. This is the equivalent of the creation of a
common language Esperanto, doomed to failure. Neither this group, nor
any other group will ever know all there is to know about naming, and so
the best that you can do is to create a structure into which a name can
be placed with reference to the source of that name.
You say that you cannot trust D&B to name corporations, but how can you
trust my parents to name me? The argument is misplaced. Names are just
tags, they do not serve to identify people in the sense that you are
trying to legislate (and yes, I do mean legislate). I just learned
yesterday that Notaries are no longer accepted as signature guarantors
for stock transfers in the US. This is a change, which I assume to be
for valid reasons, which could have destroyed a trust scheme based on
notaries. Please do not try to link naming authorities to identity
proofs. This is not a strength of PEM. This is exactly why PEM is
failing. Trust schemes must be made flexible enough for the application
that requires the trust. In the securities application, it was decided
that a new trust grantor was required, so they created one. Latin
notaries are not trusted any more, so a second layer of notaries to
notarize the lower layer notaries was created. This process of change
will go on forever! If you build a trust structure based on today's
trust patterns, it will not last as long as the time required to
complete the standard.
I have written this up in more detail for publication. If anyone would
like to preview that paper, AND send me their evaluation, I will copy
you.
Peace ..Tom