[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEW Data type for certificate selection ?

To: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: NEW Data type for certificate selection ?
From: David Horvath <dave@xxxxxxxxxxxxx>
Date: Wed, 30 Sep 1998 11:15:51 -0400
Cc: "'cert-talk@xxxxxxxxxxxxxxxxxx '" <cert-talk@xxxxxxxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'list@xxxxxxxxxxxxxxxxx '" <list@xxxxxxxxxxxxxxxxx>, "'pgut001@xxxxxxxxxxxxxxxxx '" <pgut001@xxxxxxxxxxxxxxxxx>
Organization: @Home Network
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Alan,

While I personally agree that X.500 provides a mature and feature rich
core to implement certificate repositories, I am having trouble
understanding some of your assertions as to why X.500 is the answer to
so many problems.  

It seems to me that the first step for locating certificates in a
repository is to define the fields in the certificate object that are a
prerequisite to perform the match.  Matching rules are a good start and
foster the thought process required to provide a well designed solution.
Once the matching rules are defined, a protocol such as DAP or LDAP V3
with extensions may be used to exploit the matching rules.  In some
cases, clients may choose not to use the matching rules and retrieve all
certificates.  Perhaps matching rules are not supported by the protocol
(LDAP V2 or HTTP), therefore the client will collect all the
certificates and perform the match locally.  This may be even more
efficient than submitting multiple searches with different variations of
matching rules.  It could easily be more efficient to submit one search
and retrieve 10 certificates, then to submit 3 searches with different
matching rules each time until the required certificate is found.  This
should be defined by local policies based on performance analysis.  

Once the rules for matching certificates are defined ( and I think X.500
matching rules are an excellent start ) the distribution model can be
analyzed.  This is another case where X.500 may be superior to LDAP, but
unless you have a well planned global infrastructure neither X.500 or
LDAP can help with the distribution model.

Dave Horvath

Alan Lloyd wrote:
> 
> 
> Snip
> 
> ----------
> From: pgut001@cs.auckland.ac.nz
> To: cert-talk@structuredarts.com; ietf-pkix@imc.org;
> list@seis.nc-forum.com
> Sent: 9/29/98 1:01:30 PM
> Subject: Re: NEW Data type for certificate selection ?
> 
> Peter - you went through great lenghts to define the problem with
> relationships between and searching directory based objects and a
> distributed information issue and then you say:
> "
>  If anyone has any useful solutions for this (apart from "We should
> force
> everyone to use an X.500 directory, that would solve everything" :-) I'd
> be interested in hearing them.
> 
> "
> Oh well - that counts me out. I cannot do solutions - without the
> solution :-)))
> regards alan
> 
> Peter.
>

References:
- RE: NEW Data type for certificate selection ?
  - From: Alan Lloyd

Prev by Date: Re: A question and comment about PKIX - Part 1, Version 11.
Next by Date: Re: NEW Data type for certificate selection ?
Previous by thread: RE: NEW Data type for certificate selection ?
Next by thread: RE: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread