RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

["Ramsay, Ron" <Ron.Ramsay@xxxxxx>]

Component matching, however, does not address the problem of returning multiple certificates.

That is, if component matching were to be used, and if the entry contains a matching certificate, then all certificates in the entry would be returned. Using subordinate entries ensures only one certificate is returned.

Ron.

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@xxxxxxxxxxxx]
Sent: Tuesday, 31 December 2002 18:38
To: Peter Gietz
Cc: ietf-pkix@xxxxxxx
Subject: Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)




>Nevertheless two different solutions to one problem might be preferable here.

My primary objection to standardizing the child entry approach
for PKI is that it is a PKI-specific solution to a general problem,
component matching of complex attribute values.   We should be
looking for general solutions to our general problems.  Steven's
component matching I-D details a general solution which I believe
is suitable for standardization.

My recommendation is that the PKI "child entry" approach be
pursued individually as an Experimental (or possibly Informational)
solution to the PKI component matching problem with a note that
a more general solution, component matching, is being standardized.

Kurt