RE: Basic Cert-2-Directory mapping question

["Slone, Skip" <skip.slone@xxxxxxxx>]

David, 

Only somewhat tongue-in-cheek, I'll say the answer to your question is "only
if you want the right answer" ;-) 

As I see it, we're dealing with the fact that we have extant DNs all over
the map with no semblance of a registration authority. Consequently, we have
no reasonable way of getting from an arbitrary DN to a directory service.
The closest thing to a global registration authority that exists is DNS
(including, of course, its whole supporting cast). As such, it made sense
for the Internet community to tackle those names found within the current
DNS struture.  What I would like to propose is that we build on that success
and extend the authority of DNS into other parts of the DN namespace.  To do
so requires the definition of some mappings (namely c=XX to <ccTLD>) and the
creation of a way (i.e., a new DNS RR type) to use DNS to register names
traditionally associated with X.500/LDAP.

By way of example, what I'm talking about is the ability to take a DN of the
form "cn=Skip Slone, o=Lockheed Martin, c=US" and determine that the LDAP
server to check is found at (for example) ldap1.external.lmco.com. 

That said, such registration in DNS, combined with a deterministic algorithm
will return a result of the following form:
 a) the DN maps to an LDAP server found at foo.com, OR
 b) the DN does not map to a registered LDAP server

If you get answer "a" you then send an LDAP query to foo.com:389 to find the
entry itself. 

To answer your question properly, I would contend that if "o=Foo, Inc." is
not registered under these rules, you would get answer "b".  Even though you
don't find the entry, you still get a deterministic response.

 -- Skip

-----Original Message-----
From: David P. Kemp [mailto:dpkemp@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, January 10, 2001 2:51 PM
To: ietf-pkix@xxxxxxx
Subject: RE: Basic Cert-2-Directory mapping question


Skip,

Doesn't the existence of a deterministic algorithm depend on users
of civil (Country-based) names following the rules?

As Michael Ströder pointed out, everyone wants a short name in a
flat namespace.  But not every Joe's Bar & Grill in the US can
have certificates with the name "C=US, O=Joe's Bar & Grill".  If
TTP CAs are willing to issue such certificates without evidence
that the name has been registered with the US national authority,
what algorithm can possibly find all the directory entries for
that DN?

Dave




> From: "Slone, Skip" <skip.slone@xxxxxxxx>
> Subject: RE: Basic Cert-2-Directory mapping question
> To: ietf-pkix@xxxxxxx
> 
> As the traffic on this topic points out, there are a lot of people who see
> this as an issue.  Whether we can agree on exactly what the issue is and
how
> to proceed may be another matter ... :-)
> 
> As have many others on this list, I've been giving this issue some thought
> lately, focusing on the problems as seen from the perspective of a large
> user like my company. Although I've come to a different set of conclusions
> from those discussed so far in this thread, my energy has been focused on
> the same problem that Bob Jueneman pointed out: knowing the location of a
> directory service provider that is supposed to contain the DN. 
> 
> My basic premise is that if we can come up with a deterministic algorithm
> that takes an arbitrary (but reasonably well structured) DN and resolves
it
> to a set of FQDNs where one can find LDAP services, we can
deterministically
> get from the DN to the associated directory entry.  As Steve Kent pointed
> out, there exists a body of work to do this in the limited case of DNs
based
> on (DNS) domainComponent naming.  My thoughts are along that line, but
> expand to cover the so-called "civil" naming constructs in DNs, such as
> country, organization, and so on.  I think that's the goal Anders
originally
> stated, starting this whole thread.
> 
> If people are interested, I'll summarize the algorithm I've come up with
so
> far and distribute it for review.  If need be, we could consider whether
> this is worthy of an I-D, or a BOF at Minneapolis, or whatever...
> 
> Regards,
> 
>  -- Skip Slone
>     Lockheed Martin