I don't want to go too far on this tangent, but ...
First, let me say that I believe the DNS security extension is necessary.
While I have problems with some of the approaches taken in it, I really
appreciate
all the effort (especially Donald's personal effort) that has gone into it.
(Note: I have also read Ned Freed's response)
At 10:53 AM 10/4/95, Donald E. Eastlake 3rd wrote:
On Wed, 4 Oct 1995, Kenneth E. Rowe wrote:
Actually, the use of a DN instead of a URL is a much better approach.
Almost nothing in the real world uses Distinguished Names. Most DN schemes
are crap based on the futile idea of a universal X.500 dirctory. They are
useless until you map them to something real like URL's which introduces all
the problems of the storage, access to, and maintenance of such a mapping.
This is confusing X.500 services with X.509 certificate formats.
1) URL's are relative ... it depends on what the web server name
resolves to. >
URL's can be relative or absolute. Inability to express relative DN's
is merely further evidence of their inadequacy. If you are giving a
reference intrnal to a document or closely bound cluster of documents,
why in the world would you want an absolute reference? Any name, to
be of any use, must ultimately resolve at any particular time to some
real physical data storage location/machine.
Actually, it is to a set of "equivalent" real physical data storage
locations/machines.
Hence the need for URNs.
The issue of when does a policy ID need a new distinguishing ID is really the
issue of what is
meant by "equivalent" policies.
2) the move over the next few years will be toward URN's. These are
independent of DNS resolvers. They provide location and replication
transparency (among other things).
Yeah, yeah. The mythical URN. Some people cliam they are suppsed to be
independent of DNS (hey, why use the only existing global operational name
system that already has replicaiton and redundancy, now has reasonable
security and secure dynamic update proposals that should shortly come out as
IETF Proposed Standards, etc.) As long as URN's are merely a concept, its
pretty trivial to list all the wonderful features they are going to have.
And if the first version of URN's doesn't have those features either, you
can always claim a later version will...
There are many real activities going on with URNs. The same could have been
said about DNS security extensions two years ago. But I don't want to see this
turn into flaming.
The DNS has a different set of underlying assumptions than URNs. Fundamentally
DNS will not suffice
for a URN server.
See http://www.ncsa.uiuc.edu/People/kerowe/www-ppr for a fuller description of
the issues.
3) the more general of a URI capability that is supported, the less
constrained we are to the technology.
That sure sounds like a tautology.
I'll assume you meant "a compound proposition which is unconditionally true
... by virtue of its logical form" instead of an insult.
Ken.
-------------------------------------------------------------
Kenneth E. Rowe (kerowe(_at_)ncsa(_dot_)uiuc(_dot_)edu)
Senior Security Engineer (217) 244-5270 (Office)
/ Security Coordinator (217) 244-0710 (NCSA IRST)
National Center for Supercomputing Applications
*** email ncsa-irst(_at_)ncsa(_dot_)uiuc(_dot_)edu for computer incident
response ***