[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ldapv2-schema and CA Certificates

To: Russ Housley <housley@xxxxxxxxxx>
Subject: Re: ldapv2-schema and CA Certificates
From: Dave Horvath <dave@xxxxxxxxxxxxx>
Date: Mon, 17 Aug 1998 12:53:16 -0400
Cc: ietf-pkix@xxxxxxx, kpcm@xxxxxxxxxxxxxxxxxxxxxxxx, H.Kesterson@xxxxxxxx, jis@xxxxxxx
Organization: Chromatix Inc.
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Russ,

	I agree with your comment that schema has a huge impact on
interoperability and that MAYs must be replaced with MUSTs!  Soft
recommendations will lead to problems.  However, it will be difficult to
get both camps to agree!  I hope that vendors on both sides of the fence
are willing change their products given a technically superior solution.

Dave H

Russ Housley wrote:
> 
> PKIX WG Members:
> 
> During the last few months, I have been focused on PKIX Part 1 (the
> profile).  That document had tough technical issues to be resolved, but
> technical resolution was simple compared to the resolution of political
> issues that we handled.  If possible, we need to handle this issue on
> technical grounds.
> 
> This schema issue has a huge impact on interoperability.  If we do not
> address this issue quickly, then I fear that it will become more and more
> political (and less and less technical).
> 
> There are clearly two vocal camps.  Both camps have fielded a significant
> number of products, and the undesirability (or even impossibility) of
> changes to those fielded products is the primary reason for the political
> component to this debate.
> 
> Directory Servers are going to be a very important repositiry for
> certificates and CRLs.  It is very important that all PKIX CAs post
> certificates and CRLs in the same attributes so that any certificate using
> system can readily find them.  In my view, it is completely unacceptable
> for there to be more than one choice for each attribute.  MISSI defined
> "local" attributes for use with version 1 certificates, and it is widely
> agreed that this was a bad idea.  Based on this experience, I believe that
> the schema document should replace the MAYs with MUSTs once the concensus
> is reached.  We need one and only one schema!
> 
> As I stated in earlier messages to the PKIX mail list, I believe that
> compatability between the PKIX documents and the X.509 document is quite
> important.  The PKIX WG is the Internet "Public Key Infrastructure using
> X.509."  The PKIX WG should develop a consensus opinion and forward it to
> Hoyt Kesterson (our liason) to ensure that we influence the defect
> resolution.  Further, in my opinion, the schema document should not
> progress until we are sure that we will have one schema that is compatible
> with he X.509 defect resolution.
> 
> In private e-mail, I have requested that the PKIX WG chairs provide agenda
> time for this topic at the upcoming meeting.  I hope that we can leave that
> session with a working group concensus.
> 
> Russ

-- 
               ================================================

      _/_/_/                   David J. Horvath
   _/      _/                  
  _/       _/                  Chromatix, Inc. 
 _/           _/  _/           10451 Twin Rivers Road, Suite 265
_/            _/_/             Columbia, MD 21044
 _/     _/   _/_/  Phone:  (301) 596-8466  |  http://www.chromatix.com
  _/_/_/   _/   _/ Fax:    (410) 997-4306  |  dave@chromatix.com

References:
- RE: ldapv2-schema and CA Certificates
  - From: Russ Housley

Prev by Date: RE: Domains of Trust for PKIX
Next by Date: RE: ldapv2-schema and CA Certificates
Previous by thread: RE: ldapv2-schema and CA Certificates
Next by thread: RE: ldapv2-schema and CA Certificates
Index(es):
- Date
- Thread