Re: Certificate Matching was:RE: Basic Cert-2-Directory mapping question

[Michael Ströder <michael@xxxxxxxxxxxx>]

Steven Legg wrote:
> 
> It isn't always appropriate that the value of the surrogate attribute
> matches the value of the corresponding field in the certificate.
> Maybe the certificate is valid but uses a superseded value for the
> surrogate attribute (maybe the user has changed ISPs and is waiting for
> an updated certificate).

If I understand your example right you would like to use the cert
retrieved from the LDAP host containing the old e-mail address to
encrypt a message for the new e-mail address? This behaviour is not
what I would like to see in my e-mail application. Think of key
escrow mechanisms in a company...

> With surrogate search attributes the client will get back all
> certificates in the entry and have to filter them itself to find
> which is the one it actually wants.

IMHO the main benefit of this I-D would be that applications or
components not dealing with ASN.1 or certificates itself can
retrieve the appropriate certificate. If you require the
client-application to do anything else more than just submitting a
simple LDAP filter string you can stop writing the I-D.

> I recognize that the need to understand ASN.1 in order to formulate a
> query is an obstacle to acceptance.

YES!

Another real-world example: A system administrator wants to pull
certificates via LDAP and feed them into a PKI-aware application.
She/He's using her/his favourite scripting language with a primitive
LDAP module to download the binary blobs containing DER-encoded
certificates. In this system the LDAP component itself is not
PKI-aware and the PKI-aware component is not capable of speaking
LDAP. Therefore the LDAP component is not able to sort out the right
certificate.

Ciao, Michael.