[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: any surveys about DC vs O,C ?

ext Tony Earnshaw (tonni@billy.demon.nl) wrote:
> What are you trying to do with the certs that isn't already covered in
> the PKCS standards?

Nothing. I just wanted to see if some studies had been done, since this
is a problem IMHO when X.509 subject names are based one way and
published into a directory which is based in a different way.

However, it seems that vendors of CA related software have a complete
disregard to directory design when it comes to using domain components.
And I believe that quite a lot of people are using domain components
today. That's why I was trying to get some general feelings about this.
> What bearing does it have on Openldap?

For example, many examples in the OpenLDAP documentation are describing
the domain component directory base. Many new directory administrators
will follow these examples when constructing directories. I'm a big
proponent of the domain component model, as well. These same
administrators might decide to build a PKI on top of thier directories
and will be facing the same difficulties explaining or dealing with
these inconsistencies.

IMHO, the problem lies with the fact that the PKI RFCs were based on X.500,
long before RFC2247 was written, and the examples were based on the
X.500 dream of a global directory and there weren't many multi-national
organizations trying to build directories at that time. Coders have
taken examples or suggestions and hard coded them into user interfaces,
and sometimes much deeper into the code.

It might be time for a draft discussing this issue...