Is there anyone else out there tracking this thread? Does anyone else
see the problem or the lack of one? I think Jeff and I could both
really use some alternative insight.
It looks like the confusion concerns whether or not the key selector is a new
field within the X.509 certificate (vs. an arbitrary identifier in addition to
the X.509 certificate), and whether or not the selector is optional in the
presence of an X.509 ccertificate containing the public key.
My reading is that the selector is an additional field outside the
certificate, and that it is optional if either the X.509 certificate or bare
public key itself are present. If my understanding is correct, I also fail to
see any problem.
I gather that Jeff's reading is that the selector is a new, mandatory field
within the X.509 certificate. If Jeff's understanding is correct, then I
share his objections.
Amanda Walker
InterCon Systems Corporation
I'm glad I'm not the only one who is confused.
However, in light of the excellent work done by Warwick and his compatriots,
and echoing John Linn's suggestion, instead of continuing to roiund and round
on this, maybe we could first ask Jim Galvin for a reprise as to why the
current mechanism was adopted by TIS in the first place, and what problems it
was supposed to solve that weren't addressed by the PEM RFC. I think I know in
general, but I would like to hear a detailed analysis to refresh all of our
memories.
Then I would suggest that we all look at the v3 version of the X.509
certificate and see whether it solves the problem that Jim was trying to
address. I suspect and hope that it will.
If this is the case, I would hope that we could begin a healing process that
would eventually result in a harmonization of PEM without MIME, PEM with MIME,
AOCE, andsome of the various other encryption/signature implementations (maybe
even PGP?) that are currently on the table, each with their various strengths
and faults.
I believe that all of the people on this list are quite technically astute. The
rift that has developed over the last year or so, first of all with respect to
goals and later with specific architecture and implementation choices, I
believe to be more a function of differing priorities in supporting selected
subsets of the user population that any fundamental problem, other than the
fact that the original X.509 certificate was standardized before anyone had
made a serious attempt to use it, and that the public use of X.500 (as opposed
to the private use within corporations and universities) has been unfortunately
slow to develop.
I believe that the new certificate structure will allow us put in place
mechanisms similar to what Rhys Weatherley and I and a number of others have
tried to suggest in the past, butwhich were not well accepted because of some
of the emotional baggage associated with the use of certain forms of
Distinguished Names, especially as it relates to X.400 OR names.
I think that we understand these issue much better now, and I hope we can move
on.
Bob