Dave and Valdis,
I disagree with the notion that DNs, because they are long,
are too confusing for people to deal with. It is not reasonable to
compare DNs to X.400 addresses, as the latter include reference to
service provider affiliation and thus introduce a confusing element.
As in many situations, user interfaces are critically inportant to the
acceptanec of any technology and with good interfaces, I believe that
DNs will be easy to use. Folks who have made use of the GMD PEM
implementation have a sense of what a well-designed user interface can
do to make use of DNs palatable.
We will have an opportunity to test my claim on a larger scale
over the next couple of years, in that the DMS will have a fairly
large number of subscribers who will make use of certificates with
DNs. The DoD has a fairly wide range of members, with different
levels of education and computer literacy, so it may be a reasonable
test of the problems that one might enocunter in more widespread use
of DNs in certificates.
The problem cited by Valdis, choosing the right certificate to
use as sender, ought not be a problem in most instances, because most
individuals would probably have very few choices anyway. For example,
you might have one for home/personal use, one for individual work use,
and maybe one for a work role that corresponds to a job title. I deal
with more complexity that that when I travel and have to decide when
to use a corporate Amex card, a personal Amex card, or a (personal)
Visa card.
I agree with Dave's observation that the very short DNS name
style cannot scale, though others have disagreed with what seems to be
a rather obviuous observation. The short DNS names are attractive
because we still have to type them all too often, due to a lack of
good email user interfaces, and because they are (relatively) easy to
remember. However, the growing popularity of email puts too much
pressure on very short names, other than for use as purely local
aliases.
Steve