[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DN naming conventions and schema

> On Thu, 4 Dec 1997, Bob Jueneman wrote:
> -> Patrick,
> -> >
> -> >>>> "Patrick C. Richard" <patr@xcert.com> 12/04 12:32 AM >>>
> -> >Ed Gerck wrote:
> -> >>
> -> >> As to the CAs doing name assignment, this is actually mandated by X.509.
> -> >> The problem of connecting different CA's is solved in X.509 by forming a
> -> >> PKI of CAs -- which is possible in principle because all CAs follow the
> -> >> *same* naming convention.
> -> >
> -> >This does not necessarily apply to anyone using PKIX (recognizing that
> -> >you *did* mention X.509 and not PKIX), and I am posting this as many
> -> >blindly equate PKIX with X.509 (yes, I recognize the similarities). PKIX
> -> >mandates the use of subject a "DN", but has absolutely no enforcement on
> -> >the contents of that DN, and nothing in PKIX prevents DNs containing any
> -> >information or any naming convention you want, X.500 or not.
> ->
> -> Actually, this isn't correct, since in PKIX the DN is optional, and may be
> -> an empty sequence. (Although in that case one or more subjectAltName
> -> definitions must be provided, and the subjectAltName attribute must be
> -> marked Critical.)
> ->

Yes, sorry bob, when i put "DN" in quotes (the first time but not the
second) I was implying whatever was being used to acheive the naming
context - which can be really any field in a signed object which is
deemed to be an identifier, which in the case of PKIX, is the DN or

Thanks for pointing that out. I think the naming independence concept is
something that a lot of people are missing when they think of pkix,
which is what spurred the original post.

Thanks guys.


Patrick C. Richard - patr@xcert.com
Public Key Available via LDAP

"All informational objects are candidates for PKI-based ACLs."
       - yhe