[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Basic Cert-2-Directory mapping question
The technique you documented has some effects equivalent to the
alternative 1 I proposed, although with a syntax which requires
considerable knowledge of ASN.1 to formulate an LDAP query and with no
ability to index on the component field (as opposed to searching on it).
This does not mean that I disapprove of the idea of component filtering in
LDAP searches, which IMHO will solve a number of important problems.
However, in view of the very high proportion of ASN.1 usage within
directory attributes actually accounted for by the small number of
PKI-based data structures, wouldn't it be reasonable to define a search
syntax for them which uses keywords to identify fields, rather than the
generic ASN.1 facility you proposed? I cannot believe that it is really
appropriate to require LDAP queries for known ASN.1 types to specify
matching rules within the query.
Tom Gindin
"Steven Legg" <steven.legg@xxxxxxxxxxxxx> on 01/15/2001 10:56:28 PM
Please respond to <steven.legg@xxxxxxxxxxxxx>
To: Tom Gindin/Watson/IBM@xxxxx, "'Stephen Kent'" <kent@xxxxxxx>
cc: <ietf-pkix@xxxxxxx>
Subject: RE: Basic Cert-2-Directory mapping question
Tom,
> -----Original Message-----
> From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
> Sent: Saturday, 13 January 2001 18:48
> To: Stephen Kent
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Basic Cert-2-Directory mapping question
>
>
>
> Steve:
>
> Isn't a substantial part of this problem the question of how to
> publish a certificate in a directory where it will be
> searchable by a field
> within SubjectAltName, most importantly the e-mail address
> when that is
> included? Most of the arguments which I have ever heard for including
> e-mail address in the subject DN were actually searchability
> arguments.
> The names in SubjectAltName are typically hierarchically assigned, of
> course, but they aren't X.500-based.
> Assuming that an EE wants their certificate published
> under the e-mail
> address, IMHO they should be able to request the RA or CA to
> perform one of
> the following actions on a successful certificate issuance (using the
> publication info control or a similar mechanism):
> 1 Add a directory attribute for e-mail address whose value
> is the e-mail
> address in the SubjectAltName to the directory entry named by
> the Subject
> DN. Very often, the RA or CA has the privilege and the
> knowledge to do
> this and the EE has only one or neither.
> 2 Send a certificate announcement to the domain of the
> e-mail address,
> in the hope and (reasonable) expectation that the certificate will be
> published there.
>
> Similar, but less practically important, considerations
> apply to other
> addresses in SubjectAltName. IMHO we also need to profile
> which directory
> attributes should normally be used when indexing a
> certificate under fields
> within SubjectAltName, especially since there are at least two fairly
> common attributes for e-mail address.
Rather than using other attributes as surrogates for searching for
certificates with particular fields (of subjectAltName or any other
component) I think it is more appropriate to have the capability to
search for those certificates directly. The refinement of the component
matching rules in my last reply to David Chadwick would make it possible
to search for entries containing certificates with a particular
SubjectAltName regardless of whether the alternate name was reflected
in any other attribute(s) in the entry. Such a solution avoids questions
about which other attributes to search, and doesn't require RAs or CAs to
populate said attributes.
Regards,
Steven
>
> Tom Gindin
>
> P.S. - The opinions above are my own, and not necessarily
> those of my
> employer.
>
>
>