[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic Cert-2-Directory mapping question

To: ietf-pkix@xxxxxxx
Subject: Re: Basic Cert-2-Directory mapping question
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Tue, 16 Jan 2001 11:27:23 +0100
Organization: stroeder.com
References: <>
Sender: michael@xxxxxxxxxx

Steven Legg wrote:
> 
> >      Isn't a substantial part of this problem the question of how to
> > publish a certificate in a directory where it will be
> > searchable by a field
> > within SubjectAltName, most importantly the e-mail address
> > when that is
> > included?
>
> The refinement of the component
> matching rules in my last reply to David Chadwick would make it possible
> to search for entries containing certificates with a particular
> SubjectAltName regardless of whether the alternate name was reflected
> in any other attribute(s) in the entry.

1. Now I appreciate the I-D about certificate matching rules for
LDAP very much and I think this is a promising solution for part of
the problem.

2. If subjectAltName is an RFC822 mail address very likely the
directory admin will have no problem putting that attribute in the
entry itself => even applications/servers not implementing these
matching rules will be sufficient. (But this is not the issue here
and should not prevent anybody from adding the appropriate matching
rules for subjectAltName to the I-D).

3. As described in one of my former e-mails I believe that there's a
good chance to locate a person's entry by e-mail address (with SRV
records and doing searches on the located server).

The problem I see that up to now there's no common good practice
1. to add appropriate SRV records for at least the company's
top-level domain and
2. to make a directory-based certificate repository really
searchable.
Most directories I played with are either not public or public but
unbrowsable/limited regarding searches.

Now these problems are what we face most when deploying all this
PKIX stuff. We already have a lot of mechanisms at hand but nobody
is using them. What we need is not a new I-D for defining new
technical mechanisms. IMHO what we really need are I-Ds making clear
recommendations for tying all those relevant RFCs and I-Ds together.
Then we have a chance to get implementors doing it.

Ciao, Michael.

References:
- RE: Basic Cert-2-Directory mapping question
  - From: Steven Legg

Prev by Date: Re: Basic Cert-2-Directory mapping question
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: RE: Basic Cert-2-Directory mapping question
Next by thread: RE: Basic Cert-2-Directory mapping question
Index(es):
- Date
- Thread