RE: AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt

Title: RE: AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt

Santosh is right about the schemas. There have been at least 3 defect reports against X.509 in this area over the past 2-3 years. 509 and PKIX LDAP schema

both aligned in this area with the very first defect report (DR 185) . Also with DR 257, also approved, we no longer have "forward" and "reverse" but rather "issuedToThisCA and "issuedByThisCA". All certs issued to a CA, except self-issued certs, shall be stored in the issuedToThisCA element of the crossCertificatePair. In addition to that, certificates issued to the same CA, that were issued by other CAs in the same realm (where definition of realm is a local policy matter) are ALSO stored in caCertificates attribute. There are NO inbound certificates for a CA, that can be stored in caCertificates without also being stored in crossCertificatePair. Since the issuers of the certificates you are discussing may/may not be in the same "realm" the certs would need to at least go into the crossCertificatePair attribute and could also be present in the caCertificates attribute if issued by a CA in the same realm.

Wouldn't it be nice if we had a clean sheet - one attribute for self-issued certs, one attribute for certs "issued by this CA" and one attribute for certs "issued to this CA" - unfortunately we don't have that luxury.

Oh yes, just for completeness on the crossCertificatePair attribute, don't forget the recent approved defect (256) that requires all certificates issued BY a CA to other CAs to be stored in the "issuedByThisCA" component of the crossCertificatePair attribute, except certificates issued to a subordinate CA by its superior CA in a hierarchy.

Cheers,

Sharon

-----Original Message-----
From: Santosh Chokhani [mailto:chokhani@xxxxxxxxxxxx]
Sent: Friday, October 19, 2001 11:25 AM
To: Housley, Russ; Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: RE: AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt

Russ:

I agree with you that you understand my concern. I also do not have objection to using caCertificate attribute. Actually, I prefer that.

However, it may break ldap v3 schema. It seems that ldap states that all certificates must be published in crossCertificatePair attribute and ONLY the domain certificates appear in caCertificate attribute.

-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Friday, October 19, 2001 10:28 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: RE: AW: I-D ACTION:draft-ietf-pkix-new-part1-09.txt

Santosh:

>I am ok with what you wrote for the URI. My question relates to when the
>DN is specified as the caIssuers. We need either a mandate that a
>particular attribute (caCertificate, crossCertificatePair) will be used or
>we need the syntax to permit to specify either one of the attributes.
>
>Also, we as a community need to decide, for crossCertiifcatePair) whether
>the client will have to determine the element or will the pointer specify
>the element, i.e., forward or reverse.

I am sorry that I misunderstood your original point. Let me make sure that
I got it right this time.

The accessMethod is a GeneralName. When the GeneralName has the form of a
URI, you are happy with the LDAP situation described in RFC 2255. However,
when the GeneralName has the form of an X.500 Distinguished Name, you are
still unhappy because the text does not say which directory attribute is
expected to be populated. You have proposed two alternatives:
caCertificate and crossCertificatePair. Both of these attributes can hold
more than one value.

My preference would be caCertificate. Does anyone have an issue with this
approach?

Russ