[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ldapv2-schema and CA Certificates

To: ietf-pkix@xxxxxxx
Subject: RE: ldapv2-schema and CA Certificates
From: Russ Housley <housley@xxxxxxxxxx>
Date: Fri, 14 Aug 1998 13:21:59 -0400
Cc: kpcm@xxxxxxxxxxxxxxxxxxxxxxxx, H.Kesterson@xxxxxxxx, jis@xxxxxxx
In-reply-to: <>
Sender: owner-ietf-pkix@xxxxxxx

PKIX WG Members:

During the last few months, I have been focused on PKIX Part 1 (the
profile).  That document had tough technical issues to be resolved, but
technical resolution was simple compared to the resolution of political
issues that we handled.  If possible, we need to handle this issue on
technical grounds.

This schema issue has a huge impact on interoperability.  If we do not
address this issue quickly, then I fear that it will become more and more
political (and less and less technical).

There are clearly two vocal camps.  Both camps have fielded a significant
number of products, and the undesirability (or even impossibility) of
changes to those fielded products is the primary reason for the political
component to this debate.

Directory Servers are going to be a very important repositiry for
certificates and CRLs.  It is very important that all PKIX CAs post
certificates and CRLs in the same attributes so that any certificate using
system can readily find them.  In my view, it is completely unacceptable
for there to be more than one choice for each attribute.  MISSI defined
"local" attributes for use with version 1 certificates, and it is widely
agreed that this was a bad idea.  Based on this experience, I believe that
the schema document should replace the MAYs with MUSTs once the concensus
is reached.  We need one and only one schema!

As I stated in earlier messages to the PKIX mail list, I believe that
compatability between the PKIX documents and the X.509 document is quite
important.  The PKIX WG is the Internet "Public Key Infrastructure using
X.509."  The PKIX WG should develop a consensus opinion and forward it to
Hoyt Kesterson (our liason) to ensure that we influence the defect
resolution.  Further, in my opinion, the schema document should not
progress until we are sure that we will have one schema that is compatible
with he X.509 defect resolution.

In private e-mail, I have requested that the PKIX WG chairs provide agenda
time for this topic at the upcoming meeting.  I hope that we can leave that
session with a working group concensus.

Russ

Follow-Ups:
- Re: ldapv2-schema and CA Certificates
  - From: Dave Horvath

References:
- RE: ldapv2-schema and CA Certificates
  - From: Sharon Boeyen

Prev by Date: OCSP - Wait A Minute!
Next by Date: Re: OCSP - Wait A Minute!
Previous by thread: Re: ldapv2-schema and CA Certificates
Next by thread: Re: ldapv2-schema and CA Certificates
Index(es):
- Date
- Thread