[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Matching was:RE: Basic Cert-2-Directory mapping question

To: ietf-pkix@xxxxxxx
Subject: Re: Certificate Matching was:RE: Basic Cert-2-Directory mapping question
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Wed, 24 Jan 2001 13:01:23 +0100
Organization: stroeder.com
References: <>
Sender: michael@xxxxxxxxxx

Steven Legg wrote:
> 
> From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
> >
> >  Users are
> > supposed to be able to formulate LDAP queries by hand, after all, and
> > something as simple as "find certificates with the following e-mail
> > address" shouldn't require a 6 line query.
> 
> We should make it clear who we think the "users" are.
> I assume that the users are programmers creating PKI-enabled
> applications. They would be using an LDAP API to access the
> certificate repository. Such folks should be able to
> contend with a six line query template.

I tend to say that even programmers creating PKI-enabled
applications appreciate simple approaches. A simple standard leads
to correct code soon. Standards "too complicated" will not be easily
adopted especially by developers of end-user applications. Bear in
mind that e.g. obtaining a certificate from LDAP in a S/MIME-aware
e-mail application is just a small side-job not very high on the
developer's priority list.

> I don't think the
> users are the PKI application users. The user interfaces
> should protect these folks from ever having to enter an LDAP
> query by hand.

I agree that applications should protect end-users from formulating
a LDAP query by hand.

But IMHO there is another user group: Folks doing customization of
applications. E.g. think of someone modifying a XML search form
template of a generic LDAP client. She/He's not a sophisticated PKI
application programmer nor an naive end user.

> If a new mechanism is going to be used then
> shouldn't it be the one that better fits the requirement and also
> puts most of the implementation effort into the small number of server
> implementations rather than the larger number of client implementations ?

Yes. Writing plug-ins for existing LDAP servers is easier than
modifying all client applications.

> [..lots of discussion about matching rules which made my
> brain hurt deleted..]

Hmm, at this point I would like to make a non-technical statement:
I have the feeling that we don't need so many new I-D's with even
more flexibility. We need I-D's which cut down the possibilities and
make statements about good practices (e.g. how to store certificates
in a directory and how to search them in the most possible simple
way).

I would expect that 90% of the scenarios considered here will never
ever make it into a real-world application. Therefore you can IMHO
safely consider simpler use-cases.

Ciao, Michael.

References:
- RE: Certificate Matching was:RE: Basic Cert-2-Directory mapping question
  - From: Steven Legg

Prev by Date: unsubscribe
Next by Date: Re: Certificate Matching was:RE: Basic Cert-2-Directory mapping question
Previous by thread: RE: Certificate Matching was:RE: Basic Cert-2-Directory mapping question
Next by thread: RE: WG Last Call, RFC 2510bis
Index(es):
- Date
- Thread