RE: Basic Cert-2-Directory mapping question

["Slone, Skip" <skip.slone@xxxxxxxx>]

Oscar,

Just a quick response to your specific critique...

[Oscar] One issue I have with this is that it violates one of the central
premises of Sharon's "soapbox address" by placing the assumption on DNs
that they employ a specific naming scheme, in this case one with a
"C=xxx, O=xxx" root.

[Skip] Actually, this was not where I was coming from at all. As I see it,
we currently have two documented approaches to naming, neither of which is
mandatory, both of which are in use: (1) RFC 2377, which recommends the use
of dc-style naming, and (2) the X.521 informative annex that recommends the
use of C=xx, O=xxx -style naming. What I was doing was acknowledging that
both name styles exist and will probably continue to exist indefinitely.
Based on that recognition, I was proposing that a relatively simple
modification to DNS could conceivably (with some more work, of course) help
resolve the latter type of names to a point where pkixrep can take over and
get us to the repository.

 -- Skip

-----Original Message-----
From: Oscar Jacobsson [mailto:oscar.jacobsson@xxxxxxxxxxx]
Sent: Tuesday, January 16, 2001 5:18 AM
To: Sharon Boeyen
Cc: 'Slone, Skip'; 'Stephen Kent'; ietf-pkix@xxxxxxx
Subject: Re: Basic Cert-2-Directory mapping question


All,

this thread has progressed a bit since last I checked, so I hope you'll
forgive me for skipping to the front.

Regarding our precious screwdriver, the primary functional requirement
for said tool, to paraphrase Sharon, would then appear to be:

"The screwdriver shall identify and locate PKIX repositories for
Distinguished Names."

Or is it important that this method only be used failing derivation or
a-priori knowledge of the repository location?

Is it also important that the DN be "geopolitically" structured, or can
I interpret that as "non-domainComponent" structured?

Skip has already proposed a solution, which I'd like to address:

"What I'm proposing is the development of a new DNS RR type that allows
the registration of arbitrary attribute value assertions (such as
"o=Something" or "ou=Something Else"). These new RRs (let's call them
AVA RRs) would resolve to a domain name that could subsequently be used
to construct the right hand portion of a PKIXREP query (or some other
SRV-seeking query).  A remaining critical piece is the specification of
c=XX as equivalent to a corresponding ccTLD. As an example, when
resolving a DN ending in o=Entrust, c=CA, one would first query .ca for
an AVA record matching "o=Entrust", and would get a response such as
"entrust.com" which would then be used to generate a query along the
line of _PKIXREP._LDAP.entrust.com."

One issue I have with this is that it violates one of the central
premises of Sharon's "soapbox address" by placing the assumption on DNs
that they employ a specific naming scheme, in this case one with a
"C=xxx, O=xxx" root.

Regards,

//oscar

Sharon Boyen wrote:
> Hi Skip,
>
> What I meant by the tools was that the SRV records are populated by
> CAs, some of which use the geopolitical DN style and others that use
> the dc style.  Regardless of what style of DN they use, all queries
> for SRV records are based on a domain name. If that domain name is
> known, or can be derived (e.g. by the email application from the
> email address), then the SRV records can direct you to the right PKI
> repository. 
> 
> The need for a screwdriver is when you don't know the domain name
> and can't derive it, but need to identify and locate the PKI
> repository for a geopolitically structured DN that you do know.
> 
> Cheers,
> Sharon