[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ldapv2-schema and CA Certificates

To: Larry Layten <larry@xxxxxxx>, "'Dave Horvath'" <dave@xxxxxxxxxxxxx>
Subject: RE: ldapv2-schema and CA Certificates
From: Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx>
Date: Fri, 14 Aug 1998 12:18:56 -0400
Cc: ietf-pkix@xxxxxxx, "'kpcm'" <kpcm@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

What any product, does or does not support is not relevant to a discussion
of the technical merits of the options on the table and for that reason I'm
not going to comment on or clarify the functionality of Entrust products. 

At least two sets of requirements have been stated - one to optimize the
efficiency of the path development process based on internal certificates
and one to optimize the efficiency of path development process based on
flexible criteria. If we focus on finding directory schema specification
that enables both to the detriment of neither, I think we'll have done our
job.   

> ----------
> From: 	Dave Horvath[SMTP:dave@chromatix.com]
> Sent: 	August 13, 1998 8:14 PM
> To: 	Larry Layten
> Cc: 	ietf-pkix@imc.org; 'kpcm'
> Subject: 	Re: ldapv2-schema and CA Certificates
> 
> All,
> 
> I don't think we are too far apart if we make the following assumptions
> and support the conclusion listed below.
> 
> 	1) Entrust-enabled products currently use non-hierarchical
> 	(bi-lateral) cross  certification. (Sharon is this correct?)
> 	I also note that Entegrity implemented to the ldapv2-spec
> 	so we will need concurrence from them.
> 
> 	2) Other communities such as DOD use a hierarchical
> 	CA model at this time.
> 
> 
> We propose we modify the X.509 defect report and ldap-v2 spec to place
> all hierarchical CA certificates in the cACertificate attribute of that
> particular CA's entry.  Self signed CA certificates shall also be placed
> in the cACertificate attribute.
> 
> The non-hierarchical (bi-lateral) CA's certificates shall be placed in
> the crossCertificatePair attribute.   When DOD implements cross
> certification, it will then start populating the crossCertificatePair
> attribute.  When Entrust implements a hierarchical model, the
> hierarchical CA's certificates shall be placed in the cACertificate
> attribute.
> 
> This approach allows all parties to do business the way they have been.
> 
> 
> Regards,
> 	Dave Horvath, Pete Peterson
> 
> Larry Layten wrote:
> > 
> > I am sorry that I brought up "political issues".
> > 
> > Perhaps someone out there could summarize the pros and cons
> > of each approach.
> > 
> > Maybe someone could propose a way that a structure could
> > be built that would incorporate both approaches, allowing for
> > interoperability between the approaches based upon a mapping
> > to the appropriate method and programming for both.
> > 
> > Non-flamming responses only please! My mailbox is full :-)
> > Larry
> > 
> 
> -- 
>                ================================================
> 
>       _/_/_/                   David J. Horvath
>    _/      _/                  
>   _/       _/                  Chromatix, Inc. 
>  _/           _/  _/           10451 Twin Rivers Road, Suite 265
> _/            _/_/             Columbia, MD 21044
>  _/     _/   _/_/  Phone:  (301) 596-8466  |  http://www.chromatix.com
>   _/_/_/   _/   _/ Fax:    (410) 997-4306  |  dave@chromatix.com
>

Prev by Date: Re: x.509 v3 Certificates and Compatbility
Next by Date: Re: CMP issue and question
Previous by thread: Re: ldapv2-schema and CA Certificates
Next by thread: RE: ldapv2-schema and CA Certificates
Index(es):
- Date
- Thread