Russ,
I agree with you in not wanting two standards for accomplishing the same goal.
But I still assert that the (currently) two proposed models do not have exactly the same goals, hence a possibility that the different goals require different solutions.
Option 1: single entry, containing possibly multiple userCertificate attribute values
Goals: (primary) support existing deployments which assume this model, (secondary) support attribute-within-certificate searching, (secondary) support single userCertificate retrieval.
Option 2: multiple entry, containing single userCertificate attribute value per entry, entries related by sub-tree layout
Goals: (primary) support attribute-within-certificate searching with existing and widely available directory technologies, (primary) support single userCertificate retrieval, (non-goal) support existing deployments which assume a single entry model.
I accept the desire to not have this situation, but I also believe it is going to occur - so why wouldn't we try and infuse at least some order into this situation?
Regards, Tim Hahn
Internet: hahnt@xxxxxxxxxx Internal: Timothy Hahn/Durham/IBM@IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2540