[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL Distinguished Names

At 10:04 2/27/96, Jueneman@gte.com wrote:

>>To be fair to X.509, and to the PKIX group, DistinguishedNames are not
>>  a necessary prerequisite to generating a certificate.
>I agree, and was about to say the same thing myself. In fact, one of the
>I'd like to see in the PKIX document is a clearer exposition of exactly what
>purpose the DN is supposed to serve in a certificate.
>To my way of thinking, the DN serves three functions, none of which are
>fundamental or absolutely necessary for all posssible applications although
>they may be very useful or even a requirement for other applications:
>1. It provides a guaranteed-unique way of referring to the certificate itself,
>when it is stored in a database of directory. In other words it is a direct
>lookup search index. It may or may not be useful for browsing, depending
>on the
>structure (schema) of the DN.


        I'm glad you brought this up so I didn't have to speak for the
X.509 community.

        In the applications I've dealt with which use X.509 certs, the
only way of finding a certificate was by DN -- so if those applications
encountered a certificate with a NULL DN, it would bomb out -- be unable to
find/use it.  As a result, that body of applications which uses non-NULL
DNs will force non-NULL DNs on the rest of the world.

        In general, if X.509 were to move to a NULL DN and to use the
V3 flexibility to attach the kind of Meaning field I'm advocating, then I
would take that as a victory for the alternative proposal.  All that would
remain would be the engineering job of droppin useless fields from the

>2. In the case of a directory such as X.500, it provides a strong access
>control mechanism over who can modify the other entries associated with the
>entity named by the DN.

        There are those of us who believe that X.500 will never come to
pass on its own and *should* never be created just for supporting X.509.

>In general, I would take the position that the form of the DN should be
>specified by the database or directory administrator, NOT by the CA. However,
>at the rate things are moving in the X.500 and other directory
>communities, the
>CAs may get there first.

...or neither will ever create such directories.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |