Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

[Russ Housley <housley@xxxxxxxxxxxx>]

Kurt:

I must voice my disagreement with this approach, again.

This approach adds complexity to the PKI client.  In the long run, a PKI 
client must look in two places to locate a certificate.  The client cannot 
know if the PKI "child entry" approach or the component matching approach 
was used by the administrator posting the information.  As a result, the 
PKI client must first look in the userCertificate attribute of the subject 
entry.  If the PKI client does not find the expected certificate, then it 
must search for child entries.

I want to pick one or the other, not live with checking both for the 
foreseeable future.  If we pick the PKI "child entry" approach, then this 
should be the only way that certificates are stored.  This means a 
standards track document, not an informational or experimental one.  If we 
pick the component matching approach, then we can write the standards track 
document now, but we will have to wait for development and deployment of 
updated software.

WE MUST PICK ONE APPROACH, NOT TWO!

Russ

At 11:37 PM 12/30/2002 -0800, Kurt D. Zeilenga wrote:
> My recommendation is that the PKI "child entry" approach be
> pursued individually as an Experimental (or possibly Informational)
> solution to the PKI component matching problem with a note that
> a more general solution, component matching, is being standardized.