[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Basic Cert-2-Directory mapping question

To: "'Tom Gindin'" <tgindin@xxxxxxxxxx>, "'Stephen Kent'" <kent@xxxxxxx>
Subject: RE: Basic Cert-2-Directory mapping question
From: "Steven Legg" <steven.legg@xxxxxxxxxxxxx>
Date: Tue, 16 Jan 2001 14:56:28 +1100
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
Reply-to: <steven.legg@xxxxxxxxxxxxx>

Tom,

> -----Original Message-----
> From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
> Sent: Saturday, 13 January 2001 18:48
> To: Stephen Kent
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Basic Cert-2-Directory mapping question
> 
> 
> 
>      Steve:
> 
>      Isn't a substantial part of this problem the question of how to
> publish a certificate in a directory where it will be 
> searchable by a field
> within SubjectAltName, most importantly the e-mail address 
> when that is
> included?  Most of the arguments which I have ever heard for including
> e-mail address in the subject DN were actually searchability 
> arguments.
> The names in SubjectAltName are typically hierarchically assigned, of
> course, but they aren't X.500-based.
>      Assuming that an EE wants their certificate published 
> under the e-mail
> address, IMHO they should be able to request the RA or CA to 
> perform one of
> the following actions on a successful certificate issuance (using the
> publication info control or a similar mechanism):
> 1    Add a directory attribute for e-mail address whose value 
> is the e-mail
> address in the SubjectAltName to the directory entry named by 
> the Subject
> DN.  Very often, the RA or CA has the privilege and the 
> knowledge to do
> this and the EE has only one or neither.
> 2    Send a certificate announcement to the domain of the 
> e-mail address,
> in the hope and (reasonable) expectation that the certificate will be
> published there.
> 
>      Similar, but less practically important, considerations 
> apply to other
> addresses in SubjectAltName.  IMHO we also need to profile 
> which directory
> attributes should normally be used when indexing a 
> certificate under fields
> within SubjectAltName, especially since there are at least two fairly
> common attributes for e-mail address.

Rather than using other attributes as surrogates for searching for
certificates with particular fields (of subjectAltName or any other
component) I think it is more appropriate to have the capability to
search for those certificates directly. The refinement of the component
matching rules in my last reply to David Chadwick would make it possible
to search for entries containing certificates with a particular
SubjectAltName regardless of whether the alternate name was reflected
in any other attribute(s) in the entry. Such a solution avoids questions
about which other attributes to search, and doesn't require RAs or CAs to
populate said attributes.

Regards,
Steven

> 
>           Tom Gindin
> 
> P.S. -    The opinions above are my own, and not necessarily 
> those of my
> employer.
> 
> 
>

Follow-Ups:
- Re: Basic Cert-2-Directory mapping question
  - From: Michael Ströder

References:
- Re: Basic Cert-2-Directory mapping question
  - From: Tom Gindin

Prev by Date: RE: DPD & DPV requirements - to nonce or not to nonce?
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: Re: Basic Cert-2-Directory mapping question
Next by thread: Re: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread