|
Peter, This
may be off-topic but have you considered a SOAP version of this protocol. SOAP messages can be transported over http,
hence meeting this requirement, but can also be transported over SMTP etc. This seems to me to be a more general
approach than the one described here. Section 2. email "Email address contained in the
certificate..." What
does this mean? I think you should be more explicit. Will the search be against
an email attribute in the subject DN, or an attribute in the subject
alternative name... Section
2.1 "The
one exception to this process is the subjectKeyIdentifier..."
I
hate exceptions to rules;) Why bother with this proviso? OK, it stops one needless hash but it
introduces additional coding at both the client and server. Why not just hash the hash? Section
2.2 Although
earlier text indicates why, the examples for retrieving a CA cert and a CRL are
identical in this section. I think this
should be clarified (by indicating a query URI appropriately) Section
2.2 Rational Typo
- should be Section 2.3 I
appreciate your rationale but, as a client implementer, I don't want to care
what technology the CA is using to store the certs
(RDBMS, LDAP, whatever). But, as an LDAP zealot, I think there is a requirement
to support cert lookup by a textual representation of the subject DN. Maybe the LDAP server vendors can comment? Regards, Piers A
New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working
Group of the IETF. Title :
Internet X.509 Public Key Infrastructure Operational Protocols:
Certificate Store Access via HTTP Author(s) :
P. Gutmann Filename :
draft-ietf-pkix-certstore-http-01.txt Pages :
Date :
Product
Architect Protek
Network Security +44 (0)1270
507800 This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. PROTEK Network Management Group and each of its subsidiaries reserve the right to monitor all email communications through its network. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. |