[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on draft-ietf-pkix-ipki2opp-08.txt

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: comments on draft-ietf-pkix-ipki2opp-08.txt
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Sep 1998 08:24:56 +1000
Sender: owner-ietf-pkix@xxxxxxx

Comments: Internet X.509 Public Key Infrastructure 
                            Operational Protocols - LDAPv2

Sorry for being my usual self. But what does this document do or solve.

All it states is use LDAP V2 to a PKI repository? and highlights the
major failings of LDAP encoding when dealing with certificate attributes
with multiple values. ie. In that the client gets the lot (every
certificate - regardless) --  and if the client goes for CRLs as well  -
and they are multi values of a CRL attribute - the client will get the
lot as well.

Lets do some rough sums. A cert = 600 - 2k bytes average 1kb, 5-10 certs
per user, 3 certs in a path.. transfer = 20- 30kb just to verify a
signature. In addition CRLs - bad sites, and they could get large.
And LDAP  accesses for the certs could be via referrals. Lets say that
we could be looking at optimistically  at 10-30 seconds of validation
time.
I would be happy to be corrected here..


Fundamental Problems with LDAP

LDAP servers are "string based" and non distributed - hence the need to
use X.500 and migrate these LDAP servers to a distributed architecture.
Not all certificates one wishes to deal with will be in your local ldap
server - they will be in the directory system that one cooperates with.

X.500 has certficate matching rules to enable selection of certificates
within a multi value attribute.

I am not sure what cert matching rules LDAP servers have or even if they
support multi valued att matching or if they are compatible with X.500.
Again the encoding restrictions in LDAP could imply the non use of
these.

It is obvious to most that LDAP is not very good generally and in the
case of PKI / certficate issues over a wider scale, totally unusable.

In addition the process one builds into an LDAP client to deal with
referrals and LDAP certficate servers has to be lot larger and therefore
problematic, than that that uses distributed directories with sound
matching rules.

ie. the best it can get depends on the tools to hand.

I therefore beg why the document is being put forward because IMHO - it
promotes systems to be built that will not provide the business utility
demanded by companies using large scale EC/509 technologies. The result
can only be commercial disasters and pain for both suppliers and the
poor customer.

Oh well - 

regards alan

Prev by Date: RE: I-D ACTION:draft-ietf-pkix-ldapv2-schema-02.txt
Next by Date: Re: NEW Data type for certificate selection ?
Previous by thread: I-D ACTION:draft-ietf-pkix-ipki2opp-08.txt
Next by thread: RE: comments on draft-ietf-pkix-ipki2opp-08.txt
Index(es):
- Date
- Thread