RE: Basic Cert-2-Directory mapping question

["Slone, Skip" <skip.slone@xxxxxxxx>]

As the traffic on this topic points out, there are a lot of people who see
this as an issue.  Whether we can agree on exactly what the issue is and how
to proceed may be another matter ... :-)

As have many others on this list, I've been giving this issue some thought
lately, focusing on the problems as seen from the perspective of a large
user like my company. Although I've come to a different set of conclusions
from those discussed so far in this thread, my energy has been focused on
the same problem that Bob Jueneman pointed out: knowing the location of a
directory service provider that is supposed to contain the DN. 

My basic premise is that if we can come up with a deterministic algorithm
that takes an arbitrary (but reasonably well structured) DN and resolves it
to a set of FQDNs where one can find LDAP services, we can deterministically
get from the DN to the associated directory entry.  As Steve Kent pointed
out, there exists a body of work to do this in the limited case of DNs based
on (DNS) domainComponent naming.  My thoughts are along that line, but
expand to cover the so-called "civil" naming constructs in DNs, such as
country, organization, and so on.  I think that's the goal Anders originally
stated, starting this whole thread.

If people are interested, I'll summarize the algorithm I've come up with so
far and distribute it for review.  If need be, we could consider whether
this is worthy of an I-D, or a BOF at Minneapolis, or whatever...

Regards,

 -- Skip Slone
    Lockheed Martin