Storage of X.509 certificates in X.500

[Jochen Keutel <keutel@xxxxxxxxxxxxxxxxxxxxxxx>]

Hello,
  I'm not sure whether this is the right place to ask these
questions - if it's not the right place please direct me
to a more appropriate mailing list.

My Questions:

1. Storage of a X.509 certificate in a X.500 server

- Is it common practice to use the "subject" field of the
  certificate as distinguished name of the entry which holds
  the certificate as an attribute?
- If not - how does the client loading the certificates (CA, ...)
  find the right entry which has to be modified?

This becomes definitely difficult for large corporate directories
(100000 entries) which hold also a lot of other
attributes (phone number, ...).

2. Storage of Revocation lists in a X.500 server

- A person reads a certificate from a X.500 server; now the person wants
  to check if the certificate is still valid. So the person reads
  the revocation list and checks whether the serial number of the
  certificate is in the revocation list or not.
  This seems good until the revocation list becomes huge - every client
  would have to read a list of 10000 serial numbers of revoked certificates.
  Has anybody experiences with splitting revocation lists? What could be a
  "reasonable" size of a revocation list?

Thanks,
		Jochen.
------------

Dr. Jochen Keutel		currently at:	Deutsche Telekom	
duerr com-soft					IZ Darmstadt	

Phone: +49 6151 818 5525

e-mail: keutel@u9ytb.dmst03.telekom.de
	100.37805@germanynet.de
X.400 : /C=de/A=dbp/P=telekom400/O=dmst03/OU1=08/S=osys-02
WWW   : http://www.geocities.com/WallStreet/3454/