Bob,
a way to start solving the problems is to make some concrete
recommendations as to how to proceed with registration.
OK. How's this for a concrete proposal (subject to management approval, of
course);
1. GTE Laboratories will set up and operate an X.500 DSA for the purpose of
widely distributing X.509 v1 (and later v3) cryptographic certificates, _and_
resolving potential conflicts of Residential and Persona DNs for the worldwide
Internet community. Certificates would not be limited to residential or persona
users, however -- organizational person users would also be encouraged to use
the facilities. In this case we would be acting as an ADDMD. No representations
or warranty would be offered or implied as to the accuracy or reliability of
the information contained, nor the relationship between a particular name or
alias and a cryptographic certificate. No "Right to Use" name requirements
other than common decency will be imposed -- that is the province of the CA
and/or PCA.
2. There will be no cost to the users for this service for a period of at least
one year. We may have to ask the PCAs, the CAs, and/or the ISOC to defray a
portion of the administrative costs if the volume becomes too great -- TBD.
3. In the initial phases, DN entries will be created and certificates entered
into the database by a manual process. Later, I would expect that the ability
to deposit certificates into the DB would be extended to the PCAs, and perhaps
to CAs as well. The ability of users to add or update additional entries will
require further study, and will depend on how quickly we can implement a
suitable form of access control. There may also be some legal considerations.
4. We will develop and publish a suitable schema to be used for searching the
directory. The DN used in the certificate will not necessarily have to conform
to that schema. I would envision that rfc822 e-mail names; residential person
DNs consisting of country, state/province, locality, and surname plus a unique
ID; and organizational person DNs could all be used for search purposes.
Persona DNs will be registered under a unique attribute type to avoid any
confusion.
5. Initially, this would be a single, centralized database, but it would be
accessible by anyone with the appropriate DUA software. My present intent would
be to support access via the Web and an LDAP server as well. Ultimately
(probably within six months), the DSA would be interconnected to other DSAs
worldwide as part of the NADF pilot project. This would integrate the
cryptographic certificate server with the Internet white pages and the Paradise
projects.
6. I haven't thought about this a great deal, but it would seem reasonable to
include the name of the CA and PCA in the entry containing the user's
certificate. Contact points, CRL responder names, etc. could also be included.
Finally, although I support putting the PCA's policy on the Web server, it
would also seem reasonable to make it available via the X.500 server.
7. Whether CRLs should be distributed via the X.500 server will require some
further thought.
Comments?
Bob
--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603
Voice: 1-617-466-2820