[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Thu, 11 Jan 2001 11:01:10 +0100
Organization: stroeder.com
References: <>
Sender: michael@xxxxxxxxxx

Bob Jueneman wrote:
> 
> But notice some of the problems.  I'm not picking on our
> esteemed co-chair, but notice that Steve's e-mail address,
> kent@xxxxxxx, is two corporate mergers behind the times,

So what? I don't care about his e-mail address at all. I did not
even look at it! Could be hotmail.com, earthlink.net, web.de or
whatever. It does not carry any information for me.

The most important thing to me as a user is to reach *him* under
this e-mail address *he* used as from address. And if I'm really
paranoid I try to get a hold of *his* certificate. And the CA would
have to revoke *his* certificate if *he*'s not reachable under this
e-mail address anymore.

> But in either case, that doesn't necessarily mean that they would
> choose to host their own directory service, and perhaps especially
> not for certificates.

Yes, which leads to Anders' question how to map one certificate in
several directories. In this case you're maintaining your directory
to hold certificates of your e-mail partners (I still did not find
the time to write an e-mail filter which automatically pulls out the
certs found in signed e-mails passing a mail relay and puts them
into a LDAP directory).

> But what if they later decide to switch e-mail service providers.  Are 
> they they then obligated to get new certificates, even though the old 
> ones haven't expired yet?

YES!

> And what does that do to the concept of validation
> of still valid certs for binding transactions?

Revoke the certs for the old e-mail address if they're not using it
anymore => binding will fail. Or did I get you wrong?

> It is for these kinds of reasons that I believe that any form of 
> generally workable directory locator scheme CANNOT POSSIBLY be based
> on a deterministic relationship between the location of the directory 
> and a web address or e-mail address per se, simply because the directory
> service provider may have nothing whatsoever to do with those other
> services.

We already have primary DNS servers which can give authorative
answers for DNS domains. For a deterministic relationship between
the location of the directory and a web address or e-mail address we
need "primary directory servers" which are responsible for holding
e.g. dc=stroeder,dc=com. I see no reason why I shouldn't be able to
delegate this to a directory service provider similar to my ISP
being responsible for managing *my* DNS domain stroeder.com. And
sure they can be different service providers.

For those not having their own domain directory servers for
hotmail.com, earthlink.net, web.de etc. could hold the directory
entries (or delegate it to another provider).

Locating the directory services and a person's entry would be pretty
easy by using the e-mail address, RFC2377 and/or a service like
ldap://root.openldap.org without any new standards.

Ciao, Michael.

Follow-Ups:
- Re: Basic Cert-2-Directory mapping question
  - From: Oscar Jacobsson

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Bob Jueneman

Prev by Date: Re: Basic Cert-2-Directory mapping question
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread