However, present-day URLs for the most part are pretty simple. And
simplicity is good thing since it tends to align well with human nature.
This gives them a huge leg up on DNs from the start.
Marshall Rose and the NADF has already convinced the world that the DN
in an X.509 certificate has little or nothing to do with X.500 directory
services.
Yes, but so what? We weren't talking about X.509 certificates. We were talking
about use of DNs (not URNs, not certificates) instead of URLs to reference an
external object. As far as I know the conversion of a bare DN into some sort of
value can only be done by X.500 at the present time.
Einar Stefferud convinced the world that leveraging off the existing social
institutions for personal and organizational naming was the way to go. Steve
Kent seems to be the originator of the notion of a certificate as a
(revocable)
name/key binding.
Again, what does this have to do with the subject at hand? Stef also says that
the global X.500 directory is an idea whose time is past. And much as I hate to
say it, he makes a damn good case too... This at least is a relevant statement,
and very much goes against the notion of using DNs this way.
Verisign took these lessons very much to heart. We also learned that
the Web itself is its own user and knowledge directory service. I have
no doubt others also learned such simple lessons.
Steve Kent once showed a viewgraph asking: whats in a name (crossed-out)
public-key
certificate (in emphasis)
perhaps this should be replaced by, whats in a URN/public-key certificate
to keep up with the latest jargon for some very old notions.
what do you think?
Secure lookup services are important. However, they don't address, let alone
solve, the resource stability problem, at least not by virtue of their
security. And the stability problem is what we were talking about. And
moreover, they are not a substitute for checking the object that's retrieved
against a known checksum value, which is the other thing we were talking about.
Ned