RE: Basic Cert-2-Directory mapping question

[Stephen Kent <kent@xxxxxxx>]

Dave,

> Skip,
>
> I favor the implicit approach.
>
> Existing DNs schemas have tremendous inertia, and in addition to
> more intellectual reasons, registering existing country-based
> DNs within DNS is overwhelmingly the path of least resistance.
> In order to support Internet directory interoperability, it is far
> easier to say (to the DoD PKI, for example):
>
>   "You have to register a DNS record for OU=DoD."
>
> rather than:
>
>   "You have to change all of your certificates and directories to
>   include a new top-level RDN."
>
> I agree with Bob's goal of eliminating the need to pass certs in
> session handshakes and messages. If there were only two options (change
> the DN or add an extension), then only the first moves toward that
> goal.  But you have proposed a third option: leave the cert alone!
> For my part, I am simply in awe of the elegance of that approach.
> It might even work.

I don't agree that doing away with transmission of certs and CRLs 
inline via protocols, is a good idea in general. I understand why Bob 
wants to do this in his examples, but there is another side to the 
story. Reliance on the availability of a repository as a precursor to 
secure communications makes the secure communications more vulnerable 
to denial of service attacks, as well as creating likely greater 
delays security association creation. So, for protocols like SSL and 
IPsec, I'm more comfortable with passing this data inline, rather 
than relying on retrieving it from a server.

E-mail is the really good example of a general purpose application 
where it is necessary to retrieve a certificate for an encryption key 
from a server (or receive it inline from the peer who is the target 
of the message) prior to communication. But, for signed-only 
messages, passing cert chains and CRLs is still a reasonable strategy.

Steve