[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth

At 11:32 AM 6/14/96 -0500, Brian M. Thomas wrote:

>I, or for tht matter Carl, or Blaze, or just about anybody, have never made
>the assertion that names (and name certs) are not necessary.  

Peter might be referring to my frequent observation that if you want a unique name for someone (as in an X.509 DN) you can try making a common name unique by adding country, company, organizational unit, ... -- or you can just use the person's public key, which better be unique or we're all in trouble.

Public keys don't pronounce well, so humans need common names (more likely nicknames, which is where SDSI comes in).  However, DN's don't pronounce or read well either.  Therefore, I will want a local database mapping my chosen nicknames to unique names -- and the unique name of choice, for me, is the key.  I can map from that to the public key pretty simply :) -- and don't need a certificate to do it.

Similarly, for security audit log reading, one can have a mapping back from a public key to a person's name and how to tell the FBI how to find him.  Given that mapping, one can use the hash of a public key to label log entries.  You get your audit trail and we avoid DNs.