On Tue, 12 Jul 1994 Jueneman(_at_)gte(_dot_)com wrote:
Camp A (academic/anonymous/anarchist/...)
Hi kids! :-)
This is my camp I suppose. My objections to DN's and the CA structure in
the past (to resurrect some more dead horses) have been the lack of guidelines
as to how to construct a Camp A certificate, and how to forgo even needing
to get the darn thing signed before using it. The chicken and egg problem.
PGP/RIPEM are nifty and all that but they are a separate thing to be
supported and suffer from not being standardised in the RFC's. If the next
version of PEM said "compliant implementations MUST support the RIPEM
extensions for all time" I'd be a happy camper.
Guidelines ideally would have the form "if you don't have any clue what your
DN may be then you can construct one like thus: ...". This can either be
done through a translation mechanism for e-mail addresses (the most obvious)
or a specially identified DN which is set aside in the standards for anyone
to put anything under. e.g. "O=Untrusted Name, CN=Rhys Weatherley". Then
people at least know how to choose a reasonably unique name (it won't be
totally unique of course) if they have no need of CA's and directory lookups.
"If you want my public key, you can ask for it dammit!". :-)
I believe that some of this may even help Camp B deployment, allowing
businesses to trial PEM software and then once happy that their problems
can be solved, get a real organisational DN and go to a real PCA to get
it certified. Currently a lot of effort, usually involving the corporate
"keeper of names" lawyer, is needed just to try before you buy.
Some of these were partially resolved the last time round, and I really need
to update and repost my draft on embedded e-mail addresses in DN's. So much
to do and so little time ... :-(
Cheers,
Rhys.