Bob Jueneman reports:
... in fact there is nothing in either X.509, X.500, PEM, or anywhere
else that compels the use of an X.400-like organizational name, or mailing
address style names, or anything else. We've just made assumptions based on
certain examples.
In particular, an Internet DNS name is a perfectly valid DN...
Back in the old days of PEM alpha tests, I tried to get a certificate
with the DN "o=gnu(_at_)toad(_dot_)com". ("o=" is required in a DN; all else
is
optional.) The TIS CA refused to issue it, on the grounds that they
wanted to force people into the verbose X.400 style. Perhaps this is
what you meant by "certain examples".
No, the example I meant was the X.500 document.
Certainly a CA can establish a policy that requires a particular naming
convention. At the time, there was a feeling that the public key infrastructure
would be best served by providing a reasonable amount of disclosure about
someone, i.e., their organization and/or their residence address.
In the context of a version 1 certificate, and at that stage in the evolution
of our thinking, I wouldn't have disagreed with them. I still question whether
the binding of a key to an e-mail address is a sufficiently strong assertion as
to be worth the bother, but ...
Is there a CA now operating which will issue such certificates?
John Gilmore
Perhaps we should ask whether there are CAs that are operating at all, and what
kinds of names they presently allow.
Bob