I'm a little behind because I'm on holidays (hi from Melbourne!). I
raised the smart card example to show that key selectors in a message
were a good idea because it allowed smart UA's to prompt the user to
insert the right one. This was in response to the suggestion that we
should do away with such things altogether (including issuer/serial)
and just say "the UA will try everything until one works".
Whether smart cards are identified by issuer/serial, arbitrary strings,
or the number of partridges in the recipient's pear tree is irrelevant,
as long as there is _some_ way of doing it. Bob is (I believe) arguing
that issuer/serial is enough. Maybe it is. I'd prefer a little more
flexibility in key naming conventions and I'd also prefer naming conventions
that are based on the bozo who owns the key, not the bozo who signed
the key.
I don't have any problem at all with the recipient (the bozo who owns the key)
using a private directory with any kind of a naming scheme he wishes.
I have a BIG problem if said bozo wants me, the originator, to keep track of
all the gory details of his private naming conventions, and include all of that
gudge in my messages to him. That's what certificates are for.
So long as the information that is included in the certificate DN is globally
unique and reasonably descriptive of the user's identity, I could care less how
much additional garbage is crammed into the certificate DN. If someone wants to
include the e-mail address or their own personal directory seach key, or the
name of the smart card that contains the key, that's all fine with me.
Obviously this would be cleaner with a v3 certificate, but there is NO reason
why DN in the certificate cannot contain this additional information, even if
it would appear to overspecify the DN from the standpoint of a Directory DN.
P.S.
I found a great recipe for Fair Dinkum Chili in a chili cookbook, but I can't
find some of the ingredients. Would you please e-mail me 1 kilo of red
kangaroo shank, 500 grams of grey kangaroo steak, 500 grams of emu ham, and a
boomerang? I have to wave the bommerang over the chili 14 times while it is
simmering in order to make it dinkum (authentic). And obviouslywe are very
concerned with authentication..
I assume that the boomerang would return to you automatically, of course.
After the chili has been digested, I would be happy to post the by-products on
this list, but perhaps there has already been a sufficient quantity of that
posted already. :-)
G'day, mate!
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
617/466-2820
Jueneman(_at_)GTE(_dot_)COM