@Jakob I was referring to the classical namespaces which have evolved since the 1980s. The NSF pilot project was based on a now obsolete version of X.500, Quipu, that world rooted with participating county directories. While I managed that part of the capital D Directory it was in the context of c=US. It was at that point we modified the EDB of the pilot project to include certificates so that the nuclear labs could use low cost Internet mail to collabrate with other organizations to decrease the number of weapons under the negotiated treaties.
During that time the labs went through the process of also proposing and adopting the domain component approach. Still it was possible as an internet user to download a certificate from a part of c=US that was part of that directory tree. Since the certificate is a viable stand alone ASN1 object then it actually does not entirely matter where one obtains the certificate, (but with some caveats as to the original design) which relates to semiotics and the general nature of what is considered authoritative or even useful in the post dot com world. For example, when those of us in the US represent ourselves to people that are not in the US. I can look at the certificate that is pushed to a user (and of course no longer trusted) and say, hmm based on my knowledge of Google, and geography, and business, they are not located in Boca Raton. I find the EV helpful as a user, but I know it is masking a deeper problem. And I don’t see any of the CA who acknowledge this problem privately as doing the right thing based on a tacit realpolitik that ultimately disadvantages the Internet user with less than optimal security. It’s not that the state chancery errors would replicate into an X.500 environment, on the contrary that is name confusion engineered into DNS to profit from user name confusion. The classic example is whitehouse.com Registrars offer similar names at a discount bundle price for this reason, it is a business model. At the same time they sell certificates. They blind the ownership in WHOISbecause frankly one gets horribly spammed when one uses WHOIS the way it was intended in the original DDN-NIC version of the 1980s. So the Internet needs to have a viable trust framework and one already exists under c=US, using X.500. which feeds the various trust frameworks that don’t entirely trust the Internet. CT is one of those technologies that benefits the Internet directly, but the business model is based on these separate organizations which the CA interact with, the selling proposition to them is that the BR are BS. You need my dear customer a trust framework that uniquely represents you as a member of the Carpenters Union so your unique woodworking skills are fairly representated. As opposed to anyone who can set up shop as Stripe Carpenters with a business registration. That allows for the enterprise certificates and directories as a market, the government and military who to some extent use the commercial CA, but also do not, and thus gain the advantages of cross certification using X.500 at the Federal Bridge between these major siloed trust frameworks. The DN is inherently unique. The Internet enterprise OID is something else. If geography has anything to do with this, then it’s possible to extend c=US to have semantic meaning. According to the last extant analysis done. The US government can’t solely be c=US, that’s a common namespace confusion. They are at an Organization level. However there are two OID paths in that regard. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
