I don't disagree in general with your remarks, especial your practical
observations. And having been a member of the NADF for several years, I'm
quite disappointed that X.500 hasn't made a bettter showing for itself.
Agreed. Its been 7 years now, and its starting to look really bad...
I was really just expressing a preference for call-by-name rather than
call-by-value as way of specifying things.
This is a very different issue. I'm a strong supporter of the URN concept. I
very much want this to be a viable service. I share some of Donald's concerns
with current proposals, but there's a real need here even if current proposed
solutions are lacking. Andd the minute it is a defined service we'll define a
MIME access type to get at it. I just don't think DNs in the X.500 sense of the
term are going to provide it, that's all.
Some responses have also talked about this in the context of X.509. That's
a different kettle of fish. Since you can ship the necessary certs around
fairly easily, there's nowhere the same level of justification for consistent,
stable naming there.
But we weren't talking about X.509 certificates here. We were talking about
security services and URLs and the URL stability problem.
As for your example, it happens to be a perfect illustration of how these
things can go wrong. You gave a DN of the form C=US, o=whatever, ... Looks
reasonable, right? Trouble is, you're not allowed to register as an
organization under C=US without some sort of special national standing.
Organizational entries are properly made one level down, under the various
state registries. So, for most companies, it ends up as something like c=US,
st=CA, o=Certificates R Us, etc.
Just to clarify a nit -- the special national standing is really quite easy
to arrange, and probably worthwhile doing if your lawyers care about
protecting your corporate name. The registration process consists of sending
in an application to ANSI, along with a fee of around $2500 as I recall. You
can ask for either an OID or an OID plus a name. ANSI publishes your chosen
name in a standards bulletin for two or three months, and if no one complains
it is yours. Its a bit expensive and takes a while, but it's painless and
well worth doing if you think you might need to create a private X.509
attribute, for example.
Last time I checked it was $4000 for both an OID and a name. But even if its
only $2500 -- get real! This is enough money that it gives even medium-sized
companies pause. Especially when you have to wait three months for it to take
effect. Given they they generally can register under a state immediately and
for nothing, that's what they will do. The folks that make these decisions
don't care that the current setup gets trashed. And boom -- all the DNs they
set up go down the tube. So much for stability.
In contrast, the procedures for registering a name at the state level are
quite arbitrary, and vary from state to state. Sometimes the states allow you
to register a name with them as a "foreign" (out-of-state) corporation, and
sometimes not. The semantics are particularly confusing -- duplication of
names may or may not be prevented, depending on the business you are in. Its
even worse at the local level.
Yup. But this doesn't stop people from registering here. They will change
everything to move into this space, run into trouble and change again, run into
more trouble and change again...
Isn't this fun? It makes the promise (or threat, depending on who's reading it)
of that *massive* $50 fee for a domain name seem pretty trivial, when you get
right down to it ;-)
Make no mistake. People set stuff up wrong with domain names too, and they have
to change domain names from time to time. (Mergers and acquisitions are a
common cause of this -- its doubtful that *any* naming scheme can survive --
the need to "make it ours" is just too strong.) But the complexity of X.500 DNs
makes it far worse than domain names, at least in my experience.
Ned