[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Display name attribute
Sorry if you did not follow my quick reply below.I'll expand
> > I have just been issued with a certificate by Thawte, with a common name
> > of Thawte Freemail Member. That pretty good isnt it, as everyone else in
> > the world gets the same CN
in the DN in their certificate.
So Netscape tells me the name of the cert
> > owner, but it is no use to me, as it does not tell me
who the owner really is, other than Thawte Freemail Member.
. So even if a display name attribute was
> > somewhere in my directory entry, it would not help Netscape to tell me
> > whose certificate it was, would it?
>
since the display name attribute is not in the certificate stored in my Netscape browser.
> You've lost me. Is this an example of someone storing
> useless garbage in a cn attribute ? If so it won't
Precisely. ANd because the certificate with its DN gets removed
from the directory and cached in Netscape, I can no longer tell
whose certificate this is, as all I have to read is the DN. This is why
the CN must be meaningful, so I can see who the owner of the
cached certificate is.
The main point is that the DN with the CN stays in the certificate, but
the display name stays in the directory. They get separated.
THerefore whilst the display name may help when displaying the
directory entry, it does not help when displaying the certificate. But
if you have a meaningful CN, it helps in both places, since the DN
stays with the certificate.
Hope this is clearer now.
David
> be the first time that's Dhappened, but I don't see
> what light it sheds upon this argument, except perhaps
> that an attribute named "displayName" could suffer
> from less misuse since its name directly implies its
> purpose in plain english.
>
> > So I am suggesting that a meaningful CN is better than a meaningful
> > Display name
>
> If cn is assigned meaningfully, AND cn is single valued,
> then cn can serve the purpose for which displayname was
> indended.
>
> However, we know that some sites place meaningless
> garbage in cn (e.g. employee number). We also know
> that some sites store multiple values in cn.
>
> Hence, where either of the two conditions described in
> the paragraph above pertain, displayname is useful.
> Compelling even.
>
>
>
>
***************************************************
David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************