[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: "Slone, Skip" <skip.slone@xxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Wed, 10 Jan 2001 22:08:15 +0100
References: <>

Skip,

I have a feeling that we are addressing slightly different problems.
Your suggestion *seems* to address the mapping of one cert DN into *one*
particular directory.

I am more interested in the mapping of one cert DN into *many* different RPs directories.
In that case DNS would not help as the mapping is entirely local.

Anders

> 
> As I see it, we're dealing with the fact that we have extant DNs all over
> the map with no semblance of a registration authority. Consequently, we have
> no reasonable way of getting from an arbitrary DN to a directory service.
> The closest thing to a global registration authority that exists is DNS
> (including, of course, its whole supporting cast). As such, it made sense
> for the Internet community to tackle those names found within the current
> DNS struture.  What I would like to propose is that we build on that success
> and extend the authority of DNS into other parts of the DN namespace.  To do
> so requires the definition of some mappings (namely c=XX to <ccTLD>) and the
> creation of a way (i.e., a new DNS RR type) to use DNS to register names
> traditionally associated with X.500/LDAP.
> 
> By way of example, what I'm talking about is the ability to take a DN of the
> form "cn=Skip Slone, o=Lockheed Martin, c=US" and determine that the LDAP
> server to check is found at (for example) ldap1.external.lmco.com. 
> 
> That said, such registration in DNS, combined with a deterministic algorithm
> will return a result of the following form:
>  a) the DN maps to an LDAP server found at foo.com, OR
>  b) the DN does not map to a registered LDAP server
> 
> If you get answer "a" you then send an LDAP query to foo.com:389 to find the
> entry itself. 
> 
> To answer your question properly, I would contend that if "o=Foo, Inc." is
> not registered under these rules, you would get answer "b".  Even though you
> don't find the entry, you still get a deterministic response.
> 
>  -- Skip
> 
> -----Original Message-----
> From: David P. Kemp [mailto:dpkemp@xxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 10, 2001 2:51 PM
> To: ietf-pkix@xxxxxxx
> Subject: RE: Basic Cert-2-Directory mapping question
> 
> 
> Skip,
> 
> Doesn't the existence of a deterministic algorithm depend on users
> of civil (Country-based) names following the rules?
> 
> As Michael Ströder pointed out, everyone wants a short name in a
> flat namespace.  But not every Joe's Bar & Grill in the US can
> have certificates with the name "C=US, O=Joe's Bar & Grill".  If
> TTP CAs are willing to issue such certificates without evidence
> that the name has been registered with the US national authority,
> what algorithm can possibly find all the directory entries for
> that DN?
> 
> Dave
> 
> 
> 
> 
> > From: "Slone, Skip" <skip.slone@xxxxxxxx>
> > Subject: RE: Basic Cert-2-Directory mapping question
> > To: ietf-pkix@xxxxxxx
> > 
> > As the traffic on this topic points out, there are a lot of people who see
> > this as an issue.  Whether we can agree on exactly what the issue is and
> how
> > to proceed may be another matter ... :-)
> > 
> > As have many others on this list, I've been giving this issue some thought
> > lately, focusing on the problems as seen from the perspective of a large
> > user like my company. Although I've come to a different set of conclusions
> > from those discussed so far in this thread, my energy has been focused on
> > the same problem that Bob Jueneman pointed out: knowing the location of a
> > directory service provider that is supposed to contain the DN. 
> > 
> > My basic premise is that if we can come up with a deterministic algorithm
> > that takes an arbitrary (but reasonably well structured) DN and resolves
> it
> > to a set of FQDNs where one can find LDAP services, we can
> deterministically
> > get from the DN to the associated directory entry.  As Steve Kent pointed
> > out, there exists a body of work to do this in the limited case of DNs
> based
> > on (DNS) domainComponent naming.  My thoughts are along that line, but
> > expand to cover the so-called "civil" naming constructs in DNs, such as
> > country, organization, and so on.  I think that's the goal Anders
> originally
> > stated, starting this whole thread.
> > 
> > If people are interested, I'll summarize the algorithm I've come up with
> so
> > far and distribute it for review.  If need be, we could consider whether
> > this is worthy of an I-D, or a BOF at Minneapolis, or whatever...
> > 
> > Regards,
> > 
> >  -- Skip Slone
> >     Lockheed Martin
>

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Slone, Skip

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread