[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Basic Cert-2-Directory mapping question

To: ietf-pkix@xxxxxxx
Subject: RE: Basic Cert-2-Directory mapping question
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2001 14:50:40 -0500 (EST)
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxxxxxxxxxxx>

Skip,

Doesn't the existence of a deterministic algorithm depend on users
of civil (Country-based) names following the rules?

As Michael Ströder pointed out, everyone wants a short name in a
flat namespace.  But not every Joe's Bar & Grill in the US can
have certificates with the name "C=US, O=Joe's Bar & Grill".  If
TTP CAs are willing to issue such certificates without evidence
that the name has been registered with the US national authority,
what algorithm can possibly find all the directory entries for
that DN?

Dave




> From: "Slone, Skip" <skip.slone@xxxxxxxx>
> Subject: RE: Basic Cert-2-Directory mapping question
> To: ietf-pkix@xxxxxxx
> 
> As the traffic on this topic points out, there are a lot of people who see
> this as an issue.  Whether we can agree on exactly what the issue is and how
> to proceed may be another matter ... :-)
> 
> As have many others on this list, I've been giving this issue some thought
> lately, focusing on the problems as seen from the perspective of a large
> user like my company. Although I've come to a different set of conclusions
> from those discussed so far in this thread, my energy has been focused on
> the same problem that Bob Jueneman pointed out: knowing the location of a
> directory service provider that is supposed to contain the DN. 
> 
> My basic premise is that if we can come up with a deterministic algorithm
> that takes an arbitrary (but reasonably well structured) DN and resolves it
> to a set of FQDNs where one can find LDAP services, we can deterministically
> get from the DN to the associated directory entry.  As Steve Kent pointed
> out, there exists a body of work to do this in the limited case of DNs based
> on (DNS) domainComponent naming.  My thoughts are along that line, but
> expand to cover the so-called "civil" naming constructs in DNs, such as
> country, organization, and so on.  I think that's the goal Anders originally
> stated, starting this whole thread.
> 
> If people are interested, I'll summarize the algorithm I've come up with so
> far and distribute it for review.  If need be, we could consider whether
> this is worthy of an I-D, or a BOF at Minneapolis, or whatever...
> 
> Regards,
> 
>  -- Skip Slone
>     Lockheed Martin

Prev by Date: RE: DPD & DPV requirements - Let us Recurse
Next by Date: RE: WG Last Call, PKI Repository Locator
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread