[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Display name attribute

To: dboreham@netscape.com (David Boreham), ietf-ldapext@netscape.com
Subject: Re: Display name attribute
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Fri, 23 Apr 1999 22:14:37 +0100
In-reply-to: <3720E04D.2C19CD8D@netscape.com>
Organization: University of Salford
Resent-date: Fri, 23 Apr 1999 14:12:30 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"FqWPc3.0.5h2.x8E8t"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> I see. Thanks for the clarification. I sense some tension
> between the concept of a certificate and that of a
> Directory entry. Is the problem that an X.509 cert
> can not contain a display name ?
> 

The X.509 cert contains a DN (which can contain anything you want 
in terms of attributes, common names or display names, it makes no 
difference) plus an optional General Names field in an extension that 
can hold an email address or an IP address or DNS name plus a 
few others. It could even hold a display name if you wanted it to. But 
noone currently is suggesting you do that.

So you ideally want the DN in the directory to be the DN in the cert, 
and for the DN to be meaningful and unique. But because some 
orgs dont have truly unique DNs (only local DNs) then the email 
address in the cert also provides global uniqueness.


> I'd note that the intention of DisplayName
> is not to encourage people to store even more useless
> information in cn than they did previously ! Do you believe
> that it could have that effect ?

It could. This is why I was trying to ascertain the real purpose of 
display name, and why CN could not be used equally as well. My 
conclusion is that display name is there to solve the problem of 
people not using sensible CNs, so that the directory entry can be 
usefully displayed, but this does not solve the certificate problem. 
The better solution would be to encourage people to use a sensible 
CN in the DN (then if CN is multiple valued this does not matter as 
you use the DN one for display purposes and the other ones for 
searching)

David


David

> 
> 
> 
> 


***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************

Prev by Date: Re: Display name attribute
Next by Date: Re: Comments on draft-ryan-java-schema-02
Index(es):
- Chronological
- Thread