Given some of the discussion that has taken place regarding alternatives to the
civil naming structure, and Rob Shirey's recent posting of information
regarding commerceNet, the following discussion between Michael Baum and myself
might be interesting to pem-dev readers:
Bob
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
617/466-2820
Jueneman(_at_)GTE(_dot_)COM
---------- Forwarded message ----------
Date: Mon, 23 May 94 16:09:21 -5
From:Jueneman(_at_)GTE(_dot_)COM
To: Baum(_at_)im(_dot_)com
Cc: h(_dot_)kesterson(_at_)smtplink(_dot_)az05(_dot_)bull(_dot_)com,
71623(_dot_)1226(_at_)compuserve(_dot_)com
Subject: Re: numbering
Bob,
What do you think of the President's Task Force's decision to recommend
the use of DUNS NUMBERS as the critical numbering device for NII purposes?
Regards,
Michael
text follows:
TRADING PARTNER REGISTRATION
Requirement: We must establish a government-wide data base
of trading partner information to eliminate duplicate supplier
registration files throughout the Federal community. We must also
have a unique supplier numbering scheme.
Analysis: By collecting information once early in the registration
phase, future EDI-based business activities can be focused on the
purchase transaction. The trading partner registration data base
covers basic business information, business capabilities, and
financial information. We want to link that information to past
performance and to existing supply, procurement, and financial
files by using a unique supplier numbering scheme. To that end,
we conducted an extensive evaluation of government and private-
sector numbering schemes: the Contractor Establishment Code
(CEC), Data Universal Numbering System (DUNSb) number,
taxpayer identifying number (TIN), Commercial and Government
Entity (CAGE) code, and other commercial codes. Of these
numbering schemes, the DUNSb number was the best: it is a widely
used domestic and international commercial identification number
for electronic commerce (54 U.S. industries and the United Nations
use DUNSb for EDI); it is supported by a worldwide data collection
program that focuses on maintaining an accurate data base of
unique identification numbers (35 million numbers assigned
worldwide); it is a validated numbering scheme ($300 million spent
annually to validate its accuracy as contrasted to TIN, which is not
validated); it has worldwide support for numbering and positive
identification of entities; its numbers are assigned to the lowest
possible organizational business level (far lower than the TIN,
which is a higher organizational control number); and it is issued at
no cost to the Federal government or trading partner. Furthermore,
the DUNSb number can be crosswalked against the other existing
numbering schemes and can serve as a pointer to the data stored
according to another numbering system.
[sorry about the translation DINSb = DUN's] !!!
Michael,
Interestingly enough, at last week's NADF meeting we spent a fair amount of
time discussing DUNS numbers and other alternatives to the "normal" X.500 civil
naming structure. I'm going to post your question to the NADF, and will forward
any replies to you. Certainly such groups as GEIS and Advantis might have some
useful input.
I am assuming that you are asking my opinion regarding the naming issues, and
perhaps implications re the certificate hierarchy.
From the standpoint of an X.500 distributed directory and X.509 public key
certificates, the following thoughts occur to me:
1. If the DUNS number is to be useful, we would need a reverse directory that
would point from the DUNS number to the more traditional civil organizational
name. Conducting a search operation over 35 million organizations located in a
number of different countries and spread over multiple directory service
providers would certainly be inefficient. The DUNS number is certainly globally
unambiguous, so it would satisfy the criteria for a Distinguished Name, but it
would also result in a very flat hierarchy that might not be the most efficient
from a search strategy.
2. At present, the two primary name attributes that are defined under the C=US
are Organization, and StateOrProvince. The NADF adds a third attribute, ADDMD,
(ADministration Directory Management Domain) as a way of uniquely qualifiying
names that otherwise might not be unique, using the name of the ADDMD in order
to avoid the need to coordinate such names across different domains.
3. Ideally, an international EDI number registration authority would be rooted
at the ITU level, not under any particular country, as I understand that the
TEDIS project is attempting to do. This would take a lot of diplomatic
negotiation, I should think, particular if a commercial enterprise such as Dun
and Bradstreet were to be granted a world-wide monoply for this function.
4. In the best of all possible worlds (from a purely technical directory
standpoint), it would be convenient if the worldwide EDI registration authority
were to operate as a monopoly ADDMD. This way every other Directory Service
Agent (DSA) would know where to go to find the information. Otherwise, and
especially if the DUNS information were spread across multiple countries, it
would be necessary to list all 35 million names in the public name space
(provided through a batch (at present) process called the CAN to all other
ADDMDs). However, competitive forces may require that the information be spread
across all providers, which makes the process much more difficult.
5. My assumption would be that the DUNS number would essentially be used as an
alias or pointer to the traditional civil naming structure entry, where all of
the rest of the payload concerning that entity would be found. However, this
would give rise to a certain issue of trust. Clearly the normal Directory
Service Provider (DSP) is not going to accept any responsibility for the
correctness of the DUNS number and the various implications that go with it
(unless Dun and Bradstreet becomes at DSP). So the alias between the DUNS
number and the civl name entry cannot necessarily be trusted, at least to the
same extent that the D&B entry could be. Of course, the primary entry could and
should contain a cross reference to the DUNS number, and the two should be
compared, but still the DSP should probably not be trusted in any meaningful
sense.
6. Instead, it would appear highly desirable for Dun and Bradstreet (or any
other registration authority) to become a Certification Authority, and to issue
X.509 certificates binding the name of a company to their DUNS number, at
least. Whether they would want to include other information (such as annual
sales, bond rating, etc.) in that certificate remains to be seen. Whether this
kind of a certificate should be a standard identity certificate or whether it
comes closer to an authorization certificate is not quite clear to me.
7. If D&B chooses not to step up the challenge of being a CA, a second best
alternative for either a public or private commercial CA would be to request
the DUNS number from any listing company, and then seek confirmation of the
accuracy of that listing from D&B directly. This is obviously a Trusted Third
Party or notarial function.
8. It appears that D&B spends a fair amount of money confirming the accuracy of
their database. (At one time I operated a small free-lance photography
business, and I used to get periodic questionaires from them.) This at least
addresses part of the problem of transfer or cessation of activities.
9. Your question specifically addressed the NII, which seems to mean different
things to different people. Some seem to think that it involves a lot of cable,
and presumably includes entertainment video. Others may view it as an expanded
EDI network. My view is that it is likely to be pretty close to the current
Internet in its scope and use, and therefore the use of a DUNS number for
general purpose addressing and/or certificate issuance would probably NOT be
suitable.
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
617/466-2820
Jueneman(_at_)GTE(_dot_)COM