[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: o and c or dc?



In message <6.0.0.22.0.20040113104554.02726c68@127.0.0.1> on Tue, 13 Jan 2004 11:22:18 -0800, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> said:

Kurt> I'm sure I've said this before... so this is purposely blunt.
Kurt> 
Kurt> DNs are intended to provide unambiguous naming for THE directory.
Kurt> Much like, IP addresses and domain names for the THE Internet,
Kurt> there exists naming plans.   Just as you shouldn't pull IP
Kurt> addresses and domain names out of your ass (when on the THE
Kurt> Internet), you should not pull DNs out of your ass when naming
Kurt> entries in THE directory.  (You can do whatever you want in
Kurt> private.)

>From that perspective, most CA's of today have a private directory.
Some names are *really* pulled out of their ass and nowhere else...
Now, if course, that's all about certificates, which one may choose
to disconnect from the directory (or THE directory for that matter), 
but I'm of the opinion that if you store certificates in directory
entries, it's best if the entry DN matches the certificate DN...

Kurt> On THE directory on THE Internet, the naming plan is to use
Kurt> DC style naming: an organization uses their registered domain
Kurt> names to construct the name their subtree.  This plan allows
Kurt> for interoperation with THE OSI directory, which uses
Kurt> geopolitical naming based upon registered organization
Kurt> names. The key word, in both cases, is "registered".
Kurt> 
Kurt> Beyond this, it should be noted that DC naming supports locating
Kurt> LDAP servers based upon information published in DNS.  This allows
Kurt> LDAP servers to be more loosely coupled than those using
Kurt> geopolitical.  Hence, there is good technical reason to favor DC
Kurt> naming (on the Internet or in private) over geopolitical naming.

True, we currently have a DNS structure that allows for delegation of
zone authority, and it works well.  What I'd like to know is if there
is a possibility, at least in theory, to have something similar for
directories through referals?  There would be a set of, eh, root LDAP
servers that would contain referals to countries, and the servers they
refer to would contain referals to the next level as well as entries
with only two RDNs in the name, and so on.  Basically mimicing the DNS
structure with pure LDAP.  Is this at all possible?  I've been playing
with the thought of starting something like this, if there would be an
interest...

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
You don't have to be rich, a $10 donation is appreciated!

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.