Re: Certificate Matching was:RE: Basic Cert-2-Directory mapping question

[Michael Ströder <michael@xxxxxxxxxxxx>]

Steven Legg wrote:
> 
> I hope you haven't confused the issues.

I hope that too. ;-)

> 1) Should surrogate search attributes or direct matching on certificates
> be used to search for certificates ?

I vote for direct matching on certificates. IMHO surrogate
attributes will cause too much trouble. And I consider the directory
server to be less trustworthy than the CA which issued the
certificates in almost any case.

> Surrogate search attributes generally require
> the clients to be PKI and ASN.1 aware. Direct matching of certificates
> doesn't.

That's why I voted for direct matching on certificates.

> > Another real-world example:
> > [..]
> > In this system the LDAP component itself is not
> > PKI-aware and the PKI-aware component is not capable of speaking
> > LDAP.
> 
> When you say that the LDAP component is not PKI-aware I take it you mean
> that it doesn't understand the ASN.1 type of a certificate and supports
> no matching rules for directly matching a certificate.

Yes. (Maybe my english knowledge is sometimes too limited to be very
precise.)

> In such a case
> your hypothetical system administrator would have to use surrogate
> search attributes with all the attendant imprecision. Some sort
> of direct matching capability is required for the LDAP component to
> return only the right certificate.

I hoped that a directory server extension could implement the direct
certificate matching stuff and simply return the right certificate
to the LDAP client not aware of the ASN.1 type of a certificate.

Ciao, Michael.