Re: Basic Cert-2-Directory mapping question

[Oscar Jacobsson <oscar.jacobsson@xxxxxxxxxxx>]

Michael Ströder wrote:
> Yes, which leads to Anders' question how to map one certificate in
> several directories. In this case you're maintaining your directory
> to hold certificates of your e-mail partners (I still did not find
> the time to write an e-mail filter which automatically pulls out the
> certs found in signed e-mails passing a mail relay and puts them
> into a LDAP directory).

Mapping one certificate to many directories doesn't seem to hard to
accomplish using SRV records, given that the certificate is named in
accordance to RFC 2377.

For purposes of local mirroring however, explicit configuration is
probably required in order to have local RPs query the local "cache"
before, or as a complement to querying external repositories. This would
probably also have to cater for the vast amount of arbitrarily named
certificates currently in circulation.

> For those not having their own domain directory servers for
> hotmail.com, earthlink.net, web.de etc. could hold the directory
> entries (or delegate it to another provider).

The party certifying, say, a webmail.example e-mail address does not
need to be "authoritative" for that domain. A given third party, in this
case ttp.example, could issue the webmail certificate using a 'dc=ttp,
dc=example' DN with the webmail.example e-mail address as an subject
alternate name, directing RPs to query ttp.example responders instead of
webmail.example ones.

This is one way different providers can be selected for hosting e-mail
and directory services.

//oscar