Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

[Michael Ströder <michael@xxxxxxxxxxxx>]

Steve Hanna wrote:
> Here are a few common
> scenarios where I *don't* think you'll need to search for
> user certificates:
> [..]
> 3) Verifying signed email
>
> In all of these cases, you will already have the user's
> certificate in hand.

Not necessarily. Depends on the S/MIME settings in the sender's MUA.

> The primary use case where I expect
> you will need to find someone's user certificate would be
> when you want to send an encrypted email to someone whose
> user certificate you don't already have.

Note that also in this case the component searching the certificate might 
not be the same component using the certificate. Therefore the searching 
component might not be capable of parsing certificates at all.

> > I support the proposal made by Peter Gietz since it seems
> > like an fairly easy solution to me solving some real-world
> > problems.
>
> Can't certificateMatch do as well?

Yes, off course. But it requires implementing it in the server which will 
take quite some time if ever implemented at all.

I'd prefer a solution which can be easily deployed with today's LDAP server 
products (see also section 2 in draft-klasen-ldap-x509certificate-schema-01).

Ciao, Michael.