[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Display name attribute

To: dboreham@netscape.com (David Boreham), ietf-ldapext@netscape.com
Subject: Re: Display name attribute
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Fri, 23 Apr 1999 21:51:05 +0100
In-reply-to: <3720D9A3.DF005922@netscape.com>
Organization: University of Salford
Resent-date: Fri, 23 Apr 1999 13:48:56 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"_6qJE3.0.H72.roD8t"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Sorry if you did not follow my quick reply below.I'll expand

> > I have just been issued with a certificate by Thawte, with a common name
> > of Thawte Freemail Member. That pretty good isnt it, as everyone else in
> > the world gets the same CN 
in the DN in their certificate.
So Netscape tells me the name of the cert
> > owner, but it is no use to me, as it does not tell me
who the  owner really is, other than Thawte Freemail Member.

. So even if a display name attribute was
> > somewhere in my directory entry, it would not help Netscape to tell me
> > whose certificate it was, would it?
> 
since the display name attribute is not in the certificate stored in my Netscape browser.

> You've lost me. Is this an example of someone storing
> useless garbage in a cn attribute ? If so it won't

Precisely. ANd because the certificate with its DN gets removed 
from the directory and cached in Netscape, I can no longer tell 
whose certificate this is, as all I have to read is the DN. This is why 
the CN must be meaningful, so I can see who the owner of the 
cached certificate is.

The main point is that the DN with the CN stays in the certificate, but 
the display name stays in the directory. They get separated. 
THerefore whilst the display name may help when displaying the 
directory entry, it does not help when displaying the certificate. But 
if you have a meaningful CN, it helps in both places, since the DN 
stays with the certificate.

Hope this is clearer now.

David


> be the first time that's Dhappened, but I don't see
> what light it sheds upon this argument, except perhaps
> that an attribute named "displayName" could suffer
> from less misuse since its name directly implies its
> purpose in plain english.
> 
> > So I am suggesting that a meaningful CN is better than a meaningful
> > Display name
> 
> If cn is assigned meaningfully, AND cn is single valued,
> then cn can serve the purpose for which displayname was
> indended.
> 
> However, we know that some sites place meaningless
> garbage in cn (e.g. employee number). We also know
> that some sites store multiple values in cn.
> 
> Hence, where either of the two conditions described in
> the paragraph above pertain, displayname is useful.
> Compelling even.
> 
> 
> 
> 


***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************

Prev by Date: Re: Display name attribute
Next by Date: Re: Display name attribute
Index(es):
- Chronological
- Thread