7 Relying on Certs/Keys versus DNs

7.1.1 Some systems will take a binary certificate and use this to map to internal authorisation systems.

7.1.2 This has the advantage that we are trusting a public key whose generation we can probably be more and more confident about with time. And if we have a close relationship with the subscriber, we may rely on them to tell us about any potential key compromise, and therefore perhaps even avoid need to perform certificate status checking! However, there are two major disadvantages.

7.1.3 If the certificate is compared rather than the public key, then the authorisation needs to be replaced whenever the certificate expires.

7.1.4 If the subscriber needs a new certificate, for example because they lost their token, or changed CA, then the application needs to be updated.

7.1.5 Relying on DNs mitigates these disadvantages - by relying on a particular DN, the application owner isn't affected by certificate expiry, and the user is free to replace certificates.