[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: Certificate Schema

To: Jong-Hyuk <jongchoi@xxxxxxxxxxxxxx>
Subject: Re: WG Last Call: Certificate Schema
From: David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>
Date: Thu, 02 Dec 2004 15:48:39 +0000
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: University of Salford
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)

Jong-Hyuk wrote:
>>Since that time (Spring 2003) suppliers have not moved that far (if at
>>all) towards supporting component matching. Only Steven Legg's Australian
>>company, which had supported component matching prior to publication of
>>the RFCs, and OpenLDAP which I believe can now support it, have done
>>anything in this direction. Attribute extraction on the other hand has
>>double that amount of supporting implementations, plus all clients can
>>naturally support it without any code change.
> 
> 
> Clients can be considered to naturally support Component Matching if they
> accept search filters in a text form and they support extensibleMatch. It is
> observed that many clients fall into this category. For those clients who
> have search filters hard-coded and / or do not support extensibleMatch, the
> OpenLDAP implementation of Component Matching further supports attribute and
> matching rule aliases. In attribute aliasing, an alias attribute in the
> search filter is converted by the server into the predefined aliased
> component reference and the assertion value is used as the corresponding
> component assertion value. 

Jong,

This is a neat idea. Are you using the schema we have defined for this
attribute aliasing, or have you defined your own? If you are using the
schema we have defined in the 3 PKIX IDs, then this would be another
good reason for publishing the IDs as Informational. If you have defined
your own schema, then it will need to be published widely so that
clients that dont support extensible matching (the majority of them)
will know which attribute types to use. But I dont think it would be
helpful to define a different set of attributes to refer to the same set
of X.509 attribute components.

regards

David

>The matching rule alias is used in a similar way.
> The aliasing mechanism can also be considered as an optimization which
> eliminates the extra processing steps for ComponentFilter parsing. We will
> provide performance evaluation results of Component Matching to show that it
> can be implemented in LDAP servers without performance degradation and
> increase in complexity.
> - Jong-Hyuk
> 
> ------------------------
> Jong Hyuk Choi
> IBM Thomas J. Watson Research Center - Enterprise Linux Group
> P.O. Box 218, Yorktown Heights, NY 10598
> jongchoi@xxxxxxxxxxxxxx
> 
> 
> 

-- 

*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 1484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxxxxx
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Web site: http://sec.isi.salford.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Follow-Ups:
- Re: WG Last Call: Certificate Schema
  - From: Jong-Hyuk

References:
- Re: WG Last Call: Certificate Schema
  - From: Jong-Hyuk

Prev by Date: Re: Attribute Certificates request and response protocol
Next by Date: Re: WG Last Call: Certificate Schema
Previous by thread: Re: WG Last Call: Certificate Schema
Next by thread: Re: WG Last Call: Certificate Schema
Index(es):
- Date
- Thread