RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

At 03:33 PM 1/2/2003, Ramsay, Ron wrote:
>I know, but is it widely implemented?

Given that it is still a work in progress, I hope not!
But there are early implementations which have provided
the operational experience that the approach is general
useful and otherwise suitable for standardization.  Same
is true for component matching.   I hope the IESG will
approve both soon.

Kurt

>-----Original Message-----
>From: Kurt D. Zeilenga [mailto:Kurt@xxxxxxxxxxxx]
>Sent: Friday, 3 January 2003 04:01
>To: Ramsay, Ron
>Cc: Peter Gietz; ietf-pkix@xxxxxxx
>Subject: RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
>
>
>At 11:11 PM 1/1/2003, Ramsay, Ron wrote:
>>Component matching, however, does not address the problem of returning multiple certificates.
>
>We have a general solution to that general problem in the LDAP
>matched values control extension [draft-ietf-ldapext-matchedval]. 
>
>Kurt
>
>
>>Ron.
>>
>>-----Original Message-----
>>From: Kurt D. Zeilenga [mailto:Kurt@xxxxxxxxxxxx]
>>Sent: Tuesday, 31 December 2002 18:38
>>To: Peter Gietz
>>Cc: ietf-pkix@xxxxxxx
>>Subject: Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)
>>
>>
>>
>>
>>>Nevertheless two different solutions to one problem might be preferable here.
>>
>>My primary objection to standardizing the child entry approach
>>for PKI is that it is a PKI-specific solution to a general problem,
>>component matching of complex attribute values.   We should be
>>looking for general solutions to our general problems.  Steven's
>>component matching I-D details a general solution which I believe
>>is suitable for standardization.
>>
>>My recommendation is that the PKI "child entry" approach be
>>pursued individually as an Experimental (or possibly Informational)
>>solution to the PKI component matching problem with a note that
>>a more general solution, component matching, is being standardized.
>>
>>Kurt