With regard to DN collision, this is another area which will
need attention as Jeff says. Jeff, would some sort of WAIS-indexed
database be useful? I suppose we could do some sort of net-grep
as an alternative.
I don't think you will ever come close to finding them all with such an
approach, because the users in question are hidden behind firewalls and
on systems such as AOL, CompuServe, etc. I think the CAs and/or PCAs
are going to have to register the names with an appropriate database or
directory at the time the certificates are proposed to be generated.
At least as far as I recall, the DN name collision problem only applies
to Residential Person users. (Organizational users have to solve the
problme for themselves, using a serial nuber or other convention if
necesary within their company.). But in the case of Residential
Persons, I am of the opinion that there is NO agreement presently as to
what the v1 x.509 DN "ought" to look like. Certainly the conventional
c=US, s=Massachusetts, l=Acton, streetAddress="10 Stoneymeade Way",
surname=Jueneman, cn="Robert R. Jueneman" COULD work, but what policy
the various PCA should support and/or enforce is a different matter
that has never been resolved.
To the best of my knowledge, neither the PEM WG nor the INA ever
defined a core set of attribute types that are required to be supported
(by the PCAs, the certificate generation software, and/or the PEM
software) for such purposes, much less a recommended schema for them.
The X.521 "useful attributes" are neither necessary nor sufficient for
this purpose.
The problem of how to list residential users has also come up in the
NADF, and as far as I am concerned we don't have an adequate answer
there, either, partly because of a lack of such users (a
chicken-and-egg problem).
I don't recall immediately how thePEM RFCs proposed to avoid collisions
in the name space for Persona users. The name subordination rules
wouldn't seem to apply here any more than in the case of the
Residential Person users.
Finally, neither the NADF nor anyone else in the X.500 community that I
am aware of has come up with a schema for the DIT that would work for
the purely "cyberspace" user of e-mail, for whom state, locality, and
street address is almost totally irrelevant and may be an invasion of
privacy besides.
Although I can hear the multitudes carying -- "See, we knew that X.500
DNs would never work -- we should just use e-mail names," that would be
a bit of an exageration.The DN in the certificate is not necessarily
expected to match or agree with the DN used by a directory service
provider to define an entry into the X.500 directory, so that shouldn't
be an issue.
In addition, although e-mail names may satisfy a substantial portion of
the user communities needs, it does NOT satisfy all of the user's
needs, and the various PCAs, e.g., the RSA Commercial Hierarchy are
perfectly within their rights to insist on a more legally relevant and
binding form of name identification.
Please note that all of the above has nothing whatever to do with the
actual use of an X.500 directory to solve these various problems. But I
would point out that the Internet already has a white pages project,
and the use of X.500 to solve such problems would appear to make a lot
of sense.
It is increasingly obvious that the architectural development of PEM
essentially stopped a year or so ago, leaving many of these practical
and interoperability issues as yet unanswered. I don't know who should
do what to whom within the Internet Society to get this effort back on
track and pointed towards closure of these issues, but I do know that
the NII and the Public-Key Infrastructure desparately needs solutions
to these problems.
Bob
Robert R. Jueneman
GTE Laboratories
1-617-466-2820