[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: ldapv2-schema and CA Certificates
> -----Original Message-----
> From: WHenry
> Sent: Monday, August 17, 1998 1:51 PM
> To: 'Dave Horvath'
> Subject: RE: ldapv2-schema and CA Certificates
>
> My only comment would be that fielding of products that will never
> interact or interoperate might be a factor to consider in the discussions.
> The DMS product line is being used in DoD (U.S. Govt) only, and I am not
> aware of a single sale of DMS software for use anywhere in the private
> sector.
>
> Hence, what is the pressing need for interoperability?
>
> -----Original Message-----
> From: Dave Horvath [SMTP:dave@chromatix.com]
> Sent: Monday, August 17, 1998 12:53 PM
> To: Russ Housley
> Cc: ietf-pkix@imc.org; kpcm@postoffice.xservices.com;
> H.Kesterson@bull.com; jis@mit.edu
> Subject: Re: ldapv2-schema and CA Certificates
>
> Russ,
>
> I agree with your comment that schema has a huge impact on
> interoperability and that MAYs must be replaced with MUSTs! Soft
> recommendations will lead to problems. However, it will be difficult to
> get both camps to agree! I hope that vendors on both sides of the fence
> are willing change their products given a technically superior solution.
>
> Dave H
>
> Russ Housley wrote:
> >
> > PKIX WG Members:
> >
> > During the last few months, I have been focused on PKIX Part 1 (the
> > profile). That document had tough technical issues to be resolved, but
> > technical resolution was simple compared to the resolution of political
> > issues that we handled. If possible, we need to handle this issue on
> > technical grounds.
> >
> > This schema issue has a huge impact on interoperability. If we do not
> > address this issue quickly, then I fear that it will become more and
> more
> > political (and less and less technical).
> >
> > There are clearly two vocal camps. Both camps have fielded a
> significant
> > number of products, and the undesirability (or even impossibility) of
> > changes to those fielded products is the primary reason for the
> political
> > component to this debate.
> >
> > Directory Servers are going to be a very important repositiry for
> > certificates and CRLs. It is very important that all PKIX CAs post
> > certificates and CRLs in the same attributes so that any certificate
> using
> > system can readily find them. In my view, it is completely unacceptable
> > for there to be more than one choice for each attribute. MISSI defined
> > "local" attributes for use with version 1 certificates, and it is widely
> > agreed that this was a bad idea. Based on this experience, I believe
> that
> > the schema document should replace the MAYs with MUSTs once the
> concensus
> > is reached. We need one and only one schema!
> >
> > As I stated in earlier messages to the PKIX mail list, I believe that
> > compatability between the PKIX documents and the X.509 document is quite
> > important. The PKIX WG is the Internet "Public Key Infrastructure using
> > X.509." The PKIX WG should develop a consensus opinion and forward it
> to
> > Hoyt Kesterson (our liason) to ensure that we influence the defect
> > resolution. Further, in my opinion, the schema document should not
> > progress until we are sure that we will have one schema that is
> compatible
> > with he X.509 defect resolution.
> >
> > In private e-mail, I have requested that the PKIX WG chairs provide
> agenda
> > time for this topic at the upcoming meeting. I hope that we can leave
> that
> > session with a working group concensus.
> >
> > Russ
>
> --
> ================================================
>
> _/_/_/ David J. Horvath
> _/ _/
> _/ _/ Chromatix, Inc.
> _/ _/ _/ 10451 Twin Rivers Road, Suite 265
> _/ _/_/ Columbia, MD 21044
> _/ _/ _/_/ Phone: (301) 596-8466 | http://www.chromatix.com
> _/_/_/ _/ _/ Fax: (410) 997-4306 | dave@chromatix.com