[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Matching rules for LDAP

To: PKIX <ietf-pkix@xxxxxxx>, "OSI X.500" <osidirectory@xxxxxxxxxxxxx>
Subject: Matching rules for LDAP
From: David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>
Date: Thu, 14 Dec 2000 16:35:19 +0000
Organization: University of Salford

At the PKIX meeting yesterday there was insufficient time to go through
all the proposed agenda items. One topic that fell off the bottom was
new LDAP schema for PKIs and PMIs. I had prepared a presentation listing
a number of topics that need to be resolved, so I reproduce these here
below, so that we can get some discussion of them on the list.

Should we separate the PKI schema from the PMI schema and create two
separate IDs.

We Need OID allocations from the LDAPEXT group (this is not so much an
issue as "job to be done")

Do we need the full richness of the X.500 matching rules or can we use a
subset of them
e.g. can we use name constraints based on whole subtrees rather than on
chopped subtrees

Do we need to add matching rules for cross certificates and/or S/MIME
certificates

A bug was found in X.509 (the attribute certificate syntax and the exact
match syntax are different). Have the X.509 group fixed the ASN.1 for
Geneva? And has new text been added as well. (Maybe Sharon can advise on
this)

Should we allow LDAP attribute names to be used instead of OIDs to
reference attributes in attribute certificate matching

X.509 has used different matching methods for PKIs and PMIs. PKI has one
complex flexible matching rule holding most standard extensions. PMI has
a separate matching rules for each extension. Do we want to use the
X.509 method or alternatively use the same method for both PKIs and
PMIs. Personnally I think X.509 got it wrong here, and should have
devised separate matching rules for each extension for both PKIs and
PMIs. Then when new extensions are defined, new LDAP matching rules can
be defined to go with them.

How many extension matching rules should we define for PMIs.
none, the most popular ones (which are they), or all?

This should give folks enough to think about whilst I take the plane
home later today

David


-- 
*****************************************************************

David Chadwick, BSc PhD
Post: IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 161 745 8169
Mobile: +44 790 167 0359
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J

*****************************************************************

begin:vcard 
n:Chadwick;David
tel;fax:+44 1484 532930
tel;home:+44 790 167 0359
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
x-mozilla-cpt:;-16144
fn:David Chadwick
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: Matching rules for LDAP
  - From: Steven Legg

Prev by Date: Which is the Permanent Identifier draft's current status ?
Next by Date: Re: New Time and Space Based Key Size Equivalents for RSA andDiffie-Hellman
Previous by thread: Which is the Permanent Identifier draft's current status ?
Next by thread: RE: Matching rules for LDAP
Index(es):
- Date
- Thread