Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

[Steve Hanna <steve.hanna@xxxxxxx>]

Michael Ströder wrote:
> Steve Hanna wrote:
> > When (and how) do you think I will want to search for user
> > certificates? I expect that the common case will be "get
> > me the S/MIME certs for steve.hanna@xxxxxxx",
> 
> Steve, there sure are more use-cases.
> 
> Hint: You might wanna search for other types of certificates.
> And not every component doing the LDAP search does the ASN.1
> parsing as well.

I was hoping for more than a "hint". Here are a few common
scenarios where I *don't* think you'll need to search for
user certificates:

1) SSL/TLS
2) IPsec
3) Verifying signed email

In all of these cases, you will already have the user's
certificate in hand. The primary use case where I expect
you will need to find someone's user certificate would be
when you want to send an encrypted email to someone whose
user certificate you don't already have. If you have other
use cases, please describe them explicitly. A broad comment
that something might be useful is not a compelling argument
for change.

> I support the proposal made by Peter Gietz since it seems
> like an fairly easy solution to me solving some real-world
> problems.

Can't certificateMatch do as well?

> Sorry, unfortunately I have currently no time to wade
> through all the responses in this thread piling in my Inbox.

I understand that! The email is a bit thick now. But we
have a new subject line for this thread now, so that may help.

Thanks,

Steve