[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: going back to stone axes


Just to add another data point ...

> From: cme@cybercash.com (Carl Ellison)
> The problem is that ASN.1 made it easy to define a Distinguished Name
> as a SEQUENCE OF a SET OF a SEQUENCE of Attribute, Value.  If you had
> to define things with C or PASCAL structures, some of the pain of such
> a baroque structure would have been visited upon the heads of those
> specifying the structure and they might have had second thoughts --
> used a simple byte string instead.

DistinguishedName wasn't defined the way it was because of ASN.1. It was
defined that way because of the application in which it was defined. It has
rich semantics that aren't conveyed by a simple byte string. In any
other DDL, or in C or Pascal, it would have been defined in an equivalent

No one at Telstra Research would want to replace DistinguishedName with
a byte string because of all the constant reparsing, cutting and splicing
that would entail. We would end up writing more code, not less. Given the
sort of heavy duty processing we do to DNs, trying to pack a DN into a
string is considered brain dead. Those rich semantics matter to us.

Your concern with the complexity of DistinguishedName is not evidence
that ASN.1 is fundamentally flawed. It is evidence that DistinguishedName
is not suited to the sorts of applications you deal with. I don't have
a problem with that.

> It is my serious, firm belief that a designer coming up with such a baroque
> structure as the X.509 DN should be punished by his own process -- not
> merely by the wrath of implementors saddled with using his output.

I work for someone who fits the description of one of the designers
of X.509 DN. He does program using the data structures generated by the
ASN.1 compiler and he isn't bothered by them.

Steven Legg
Security & Directories Section
Telstra Research Laboratories