Re: Basic Cert-2-Directory mapping question

["Tom Gindin" <tgindin@xxxxxxxxxx>]

     Steve:

     Isn't a substantial part of this problem the question of how to
publish a certificate in a directory where it will be searchable by a field
within SubjectAltName, most importantly the e-mail address when that is
included?  Most of the arguments which I have ever heard for including
e-mail address in the subject DN were actually searchability arguments.
The names in SubjectAltName are typically hierarchically assigned, of
course, but they aren't X.500-based.
     Assuming that an EE wants their certificate published under the e-mail
address, IMHO they should be able to request the RA or CA to perform one of
the following actions on a successful certificate issuance (using the
publication info control or a similar mechanism):
1    Add a directory attribute for e-mail address whose value is the e-mail
address in the SubjectAltName to the directory entry named by the Subject
DN.  Very often, the RA or CA has the privilege and the knowledge to do
this and the EE has only one or neither.
2    Send a certificate announcement to the domain of the e-mail address,
in the hope and (reasonable) expectation that the certificate will be
published there.

     Similar, but less practically important, considerations apply to other
addresses in SubjectAltName.  IMHO we also need to profile which directory
attributes should normally be used when indexing a certificate under fields
within SubjectAltName, especially since there are at least two fairly
common attributes for e-mail address.

          Tom Gindin

P.S. -    The opinions above are my own, and not necessarily those of my
employer.