RE: ldapv2-schema and CA Certificates

[Stefan Santesson <stefan@xxxxxxxxxxx>]

To me it seams that the two sides have different originating
viewpoint of the problem.

One is from the viewpoint of a CA. (Santosh) I.e. how can a CA provide
effective path-building for its subscribers, given that it has some
CA-certificates regarded as intra-domain and some regarded as inter-
domain?

The other (Sharons) is general from the viewpoint of the subscriber.
How can a subscriber find a common structure for all certificates
and all CA's considering the provisions of CA certificates?

true/not true?

Sharon says that there is no universal rule to decide which certificates
belong to the "preferred path" and which who doesn't. But is this true
within a single CA-domain?

It seems to me that Sharons examples of divinations between "preferred path"
is subject to different CA-domains. Is it wrong to assume that there
will be a consistent "preferred path" within a single CA-domain?

Otherwise Santoshs proposal seems reasonable.

But regarding the proposal.
Why is "self-issued" certificates put in the crossCertificatePair attribute?

When your proposal also states:
  it is recommended that the certificates issued to the authorities in the 
  same PKI domain as that of the issuing authority be stored in the
  caCertificate attribute.

This is confusing to me.

/Stefan

-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata Systemsäkerhet AB     
Lotsgatan 27 D                  Tel. +46-40 152211              
216 42  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------