RE: Basic Cert-2-Directory mapping question

["Slone, Skip" <skip.slone@xxxxxxxx>]

Here's a use case that fits my scenario:

An RP needs to find a directory entry corresponding to a given certificate,
where:
 - the certificate subject name uses civil-style naming, 
 - the RP's known directories have no knowledge (direct or indirect), and
 - the subject's domain name is not known and cannot be derived.  

With today's tools, this use case fails:
 - LDAPv3 referrals fail due to the lack of knowledge,
 - PKIXREP fails due to the lack of a domain name.

Am I overlooking some tool that can do the job?

 -- Skip

-----Original Message-----
From: Michael Ströder [mailto:michael@xxxxxxxxxxxx]
Sent: Thursday, January 11, 2001 10:31 AM
To: ietf-pkix@xxxxxxx
Subject: Re: Basic Cert-2-Directory mapping question


"Slone, Skip" wrote:
> 
> If LDAPv3 referrals were sufficient, we wouldn't be having this
> conversation.

Who said that LDAPv3 referrals are the overall solution without
prior configuration?

> LDAPv3 referrals WILL work in the following two cases:
> 
> 1) where my server's administrator already knows how to
> find the target name
> space, or
> 2) where my server and the server holding the target name space
> participate in some fully-connected DIT 
> [..]

Yes.

> What I'm discussing is a way to fill in the gap where (1) my server does
not
> already know how to find a certain name space, and (2) there's a knowledge
> disconnect between my server and the server holding the target. In this
> case, LDAPv3 referrals WILL NOT work.

Yes.

And RFC2377 does not work without SRV RRs. Yes. And I can't access
http://www.ietf.org without somebody having added the entry
www.ietf.org to DNS. Yes.  And... Yes.

No doubt, if you do not know any service access point or you don't
have any rule how to derive the service access point from an
information at hand you can't access the service. Yes.

Now about which *use-case* are we talking here?

Ciao, Michael.