[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing Protocol ?

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: Re: Missing Protocol ?
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Fri, 21 Apr 2000 09:14:29 +0200
Cc: ietf-pkix@xxxxxxx
Organization: Bull
References: <>

David,

Let me comment and rephrase what you say.

> Denis,
> 
> If the information is NOT in a public key certificate, and the
> information IS to be provided electronically instead of using methods
> from the 60's, then the question is how to provide it.

Correct.

> I'm with Bob and Peter: the directory is the answer and no new
> protocol is needed.  

LDAP (no the directory) is one answer. Then a schema and the
definition of attributes is needed.

> If there are attributes defined for passport
> number/validity, bank account number, optically-scanned document, etc,
> then those attributes can be stored in the directory either in unsigned
> normal form 

This is/was the only case I considered.

> or in signed attribute certificates.

I see no reason for this. AAs (Attributes Authorities) are not the
same like RAs (Registration Authorities).
The response comes from the RA, not an AA. In any case the use of
AAs is not mandated.

> No matter how new attribute certificates are, they are more mature than
> this undefined 'missing protocol'.  It would be most productive to use
> ACs and/or directories as is, and focus energy on establishing the catalog
> of attribute definitions.

I agree that we could work on the catalog of attribute definitions.
The only problem I see is that the requester only knows the class of
information he is looking at, while LDAP provides very precise
attributes. This attributes loosely match the classes that are
requested. If we can provide a way for getting this loose mapping,
then we are close to a solution. :-)

Regards,

Denis

 
> Dave
> 
> > From: Denis Pinkas <Denis.Pinkas@bull.net>
> >
> > Attribute Certificates are quite new and new [not] frequently used (if
> > used). As stated above, the problem does not directly relate to
> > Attribute Certificates.
> >
> > > - There are methods/protocols to "publish" certificates, or to give
> > >   controlled and secured access to them.
> >
> > Yes, but the information that is needed is NOT in the certificate.
> >
> > > > As a bottom line: if a protocol is not going to be used frequently, and we
> > > > can get by without it for occasional need, do we need the protocol at all?
> >
> > When we will have a significant deployment of a world-wide PKI, this
> > protocol will be more and more useful/needed. We are trying to
> > anticipate the needs.
> >
> > Regards,
> >
> > Denis
> >
> > > I think we don't need a new one.
> > >
> > > Peter

References:
- Re: Missing Protocol ?
  - From: David P. Kemp

Prev by Date: RE: What is the order of certificates in a certificate chain?
Next by Date: RE: What is the order of certificates in a certificate chain?
Previous by thread: Re: Missing Protocol ?
Next by thread: Re: Missing Protocol ?
Index(es):
- Date
- Thread