Re: Basic Cert-2-Directory mapping question

[Stephen Kent <kent@xxxxxxx>]

Anders,

> Guys!
> The response on this "basic" question has simply been overwhelming!
>
> Even if you can force CAs to obey certain rules regarding DNs, I still believe
> that this inability to use certificates created in "one regime",  as 
> credentials in
> another Win2K or NetWare "regime" calls for *some* kind of action.

Not necessarily. Personally, I'm comfortable having multiple certs 
issued by different CAs, each authoritative for a distinct PKI. 
Large, isolated PKIs are OK, if one has a clear plan for why they 
will remain isolated. SET, though a failure in many respects, is a 
good example of such an isolated PKI.  Also, although we have not 
mentioned it in this exchange, PKIX has the AIA extension, and will 
add back the SIA extension, which provide explicit pointers to 
directories once you have a target certificate, e.g., for retrieval 
of CA certs and CRLs. Many security protocols provide an ability to 
send certs as part of the protocol, which alleviates the need for 
blind searching for certs.

> At least those who are into TTPs (commercial or not) should be interested.


yes, TTPs who argue for "one person, one cert" have an interest in 
this issue, but that's not the only game in town, and if the problem 
is mostly a directory issue, then the discussion belongs in a 
directory WG, not in PKIX.

Steve