[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DN naming conventions and schema
> On Thu, 4 Dec 1997, Bob Jueneman wrote:
>
> -> Patrick,
> -> >
> -> >>>> "Patrick C. Richard" <patr@xcert.com> 12/04 12:32 AM >>>
> -> >Ed Gerck wrote:
> -> >>
> -> >> As to the CAs doing name assignment, this is actually mandated by X.509.
> -> >> The problem of connecting different CA's is solved in X.509 by forming a
> -> >> PKI of CAs -- which is possible in principle because all CAs follow the
> -> >> *same* naming convention.
> -> >
> -> >This does not necessarily apply to anyone using PKIX (recognizing that
> -> >you *did* mention X.509 and not PKIX), and I am posting this as many
> -> >blindly equate PKIX with X.509 (yes, I recognize the similarities). PKIX
> -> >mandates the use of subject a "DN", but has absolutely no enforcement on
> -> >the contents of that DN, and nothing in PKIX prevents DNs containing any
> -> >information or any naming convention you want, X.500 or not.
> ->
> -> Actually, this isn't correct, since in PKIX the DN is optional, and may be
> -> an empty sequence. (Although in that case one or more subjectAltName
> -> definitions must be provided, and the subjectAltName attribute must be
> -> marked Critical.)
> ->
Yes, sorry bob, when i put "DN" in quotes (the first time but not the
second) I was implying whatever was being used to acheive the naming
context - which can be really any field in a signed object which is
deemed to be an identifier, which in the case of PKIX, is the DN or
altname.
Thanks for pointing that out. I think the naming independence concept is
something that a lot of people are missing when they think of pkix,
which is what spurred the original post.
Thanks guys.
-Pat
--
Patrick C. Richard - patr@xcert.com
Public Key Available via LDAP
"All informational objects are candidates for PKI-based ACLs."
- yhe
References: