Re: Basic Cert-2-Directory mapping question

[Simon Josefsson <sjosefsson@xxxxxxxxxxxxxxx>]

Michael Ströder wrote:

> Example for 1.:
> 
> a) Assuming you want to locate an entry for
> webmaster@xxxxxxxxxxxxxxxx for retrieving the certificate and your
> client implementation is capable of searching the SRV RR in the DNS.
> 
> 1. You search for SRV record _ldap._tcp.www.stroeder.com. -> no
> result
> 
> 2. You search for SRV record _ldap._tcp.stroeder.com. -> RR points
> to LDAP server directory.adm.stroeder.com.
> 
> 3. You're doing the LDAP search
> ldap://directory.adm.stroeder.com/dc=stroeder,dc=com??sub?(mail=webmaster@xxxxxxxxxxxxxxxx)

Another approach might be to retrieve the certificate from the DNS in
the first step, such as:

1. You search for CERT record webmaster.www.stroeder.com -> gets
certificate.

For an application that already implement "advanced" DNS features such
as SRV, this is a simpler and faster solution.

I believe uses of SRV records to locate LDAP servers to lookup a
certificate for a hostname or email address may be replaced with simply
looking up a CERT record.  I also believe exactly this kind of operation
is quite common (mail clients).  This solution is also less complicated.

Of course, CERT records would not help locating a certificate with a
"cn=foo, o=bar, c=US" kind of certificate, but then, SRV wouldn't
either.  In most of these cases you'll probably have the LDAP server
pre-configured anyway.

(CERT records are documented in RFC 2538.)

/Simon