Re: WG Last Call: Certificate Schema

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

At 01:10 PM 12/6/2004, Jong-Hyuk wrote:
>> This is a neat idea. Are you using the schema we have defined for this
>> attribute aliasing, or have you defined your own? If you are using the
>> schema we have defined in the 3 PKIX IDs, then this would be another
>> good reason for publishing the IDs as Informational. If you have defined
>> your own schema, then it will need to be published widely so that
>> clients that dont support extensible matching (the majority of them)
>> will know which attribute types to use. But I dont think it would be
>> helpful to define a different set of attributes to refer to the same set
>> of X.509 attribute components.
>
>The aliasing feature of OpenLDAP is provided as a mechanism which can work
>out the compatibility issue for the legacy / inflexible clients. However, it
>should not be considered as a mechanism which may potentially encourage the
>use of non-standard schema and access method. We instead need to consider
>the definition of the standardized schema for attribute / matching rule
>aliases in Component Matching.

It should also be noted that as an value extraction compatibility
mechanism, it is not 100% compatible with the value extraction
approach.  For instance, when the client uses a complex value
extraction filter and the entity has multiple certificates.

Kurt