[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx>
Subject: Re: Basic Cert-2-Directory mapping question
From: Oscar Jacobsson <oscar.jacobsson@xxxxxxxxxxx>
Date: Tue, 16 Jan 2001 11:18:29 +0100
Cc: "'Slone, Skip'" <skip.slone@xxxxxxxx>, "'Stephen Kent'" <kent@xxxxxxx>, ietf-pkix@xxxxxxx
Organization: Celo Communications
References: <>

All,

this thread has progressed a bit since last I checked, so I hope you'll
forgive me for skipping to the front.

Regarding our precious screwdriver, the primary functional requirement
for said tool, to paraphrase Sharon, would then appear to be:

"The screwdriver shall identify and locate PKIX repositories for
Distinguished Names."

Or is it important that this method only be used failing derivation or
a-priori knowledge of the repository location?

Is it also important that the DN be "geopolitically" structured, or can
I interpret that as "non-domainComponent" structured?

Skip has already proposed a solution, which I'd like to address:

"What I'm proposing is the development of a new DNS RR type that allows
the registration of arbitrary attribute value assertions (such as
"o=Something" or "ou=Something Else"). These new RRs (let's call them
AVA RRs) would resolve to a domain name that could subsequently be used
to construct the right hand portion of a PKIXREP query (or some other
SRV-seeking query).  A remaining critical piece is the specification of
c=XX as equivalent to a corresponding ccTLD. As an example, when
resolving a DN ending in o=Entrust, c=CA, one would first query .ca for
an AVA record matching "o=Entrust", and would get a response such as
"entrust.com" which would then be used to generate a query along the
line of _PKIXREP._LDAP.entrust.com."

One issue I have with this is that it violates one of the central
premises of Sharon's "soapbox address" by placing the assumption on DNs
that they employ a specific naming scheme, in this case one with a
"C=xxx, O=xxx" root.

Regards,

//oscar

Sharon Boyen wrote:
> Hi Skip,
>
> What I meant by the tools was that the SRV records are populated by
> CAs, some of which use the geopolitical DN style and others that use
> the dc style.  Regardless of what style of DN they use, all queries
> for SRV records are based on a domain name. If that domain name is
> known, or can be derived (e.g. by the email application from the
> email address), then the SRV records can direct you to the right PKI
> repository. 
> 
> The need for a screwdriver is when you don't know the domain name
> and can't derive it, but need to identify and locate the PKI
> repository for a geopolitically structured DN that you do know.
> 
> Cheers,
> Sharon

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Sharon Boeyen

Prev by Date: RE: DPD & DPV Basics
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread