Re: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

Here are my recommendations to the PKIX WG:

   The PKIX WG should not take on engineering of a PKI-specific
   solution to the certificate matching / returning problems
   which draft-klasen-ldap-x509certificate-schema.  General
   solutions suitable for standardization exist to resolve these
   problems.

   The PKIX WG should, as part of its PKI LDAPv3 applicability
   statement work, detail requirements of PKI implementations
   to support:
        a) existing LDAP PKI schema (as revised by PKIX WG)
        b) component matching rule extension
        c) matched values control extension

   The PKIX WG should revise the LDAPv3 PKI Schema in a manner
   which preserves existing interoperability (e.g., add
   missing matching rules to userCertificate and friends,
   fix up reference to X.509, etc.).

At 02:18 PM 1/3/2003, Russ Housley wrote:
>I must voice my disagreement with this approach, again.

Let me rephrase the part I think you object to:

  I have no objection to the proponents of
  draft-klasen-ldap-x509certificate-schema continuing
  to pursuing their work on an individual basis.  In
  its current form, I would oppose publication as a
  non-Experimental RFC.  As an Experimental RFC, I would
  ask that an IESG Note be added to the document clarifying
  that the document details an alternative to existing
  and future IETF standards which implementors should favor.

Kurt