Content-Type: application/certificate; content-boundary=signature-boundary
----signature-boundary
URI: URN:org/frobble/certificates/certmaster/tim/1
Issuer-Name: certmaster(_at_)frobble(_dot_)org
Subject-Name: tim(_at_)frobble(_dot_)org
...
I like this a lot. Text-based systems work much better in the Internet
than binary format systems. And certainly anything the user has a remote
chance of seeing needs to be text based.
I would comment that the DNS is the Internet's namespace. So
tim(_at_)frobble(_dot_)org
is syntactic sugar for tim.frobble.org. It is good syntactic sugar because
it suggests that the named entity is a person, and it is a lot nicer if
there is a dot in the name to write tim(_dot_)smith(_at_)frobble(_dot_)org than
"tim.smith".frobble.org .
Another comment: the Issuer name "certmaster(_at_)frobble(_dot_)org" suggests
the
X.509 concept of a Certification Authority. This is a misguided concept.
Anybody should be able to sign certificates for things they are
prepared to assert. The question is: what sort of certificates are
people going to want to believe? To me this is clear. The useful
certificates are those signed by the person responsible for the
information. For example if the A record for xyz.foo.com is certified
by the owner of the foo.com domain then we are likely to believe it
because the owner is responsible for the information and has every
reason to tell the truth and no reason to lie. If it is signed by a
certification authority, even an internal one for the organization,
then I have to wonder how they check the information. This is a useless
middleman between the responsible person and the certifying process.
Bob Smart