RE: LDAP PKI Schema (was Re: No-op LDAP ;binary option)

[chris.gilbert@xxxxxxxxxxxxx]

> otherwise they'd be sending a lot of requests that
> wouldn't succeed

Unfortunately this is already the way of the world

> That model is limited to closed environments and
> creates isolated islands of interoperability.

Again, this is already the case.

> PKIX requires a mechanism that enables clients to
> be able to access the data they need to build
> and validate cert paths and separating servers into
> some that follow a compatible schema and others
> that don't would significantly hinder that ability.

I don't disagree but as you have implied this would
require a very heavy client that can cope with all
currently deployed strategies. I doubt that any vendor
would commit to creating a product that supported
someone else's technical strategy. I would much rather
see the killing off of one of the strategies and a
focus on and a commitment by everyone to the other.
I accept that this is not trivial but I do not believe
that genuine interoperability is achievable until we
bite the  bullet and simplify the mechanisms that
support proof of trust.

> It then becomes very difficult to determine a point
> in time at which you can turn off the old schema and
> rely solely on the new one.

Agreed. But just because something is difficult does
that mean that we shouldn't do it ?

Chris