[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NEW Data type for certificate selection ?

To: "'Sarbari Gupta'" <sgupta@xxxxxxxxxxxx>, "'Dwight Arthur'" <dwightarthur@xxxxxxxxxxxxxx>
Subject: RE: NEW Data type for certificate selection ?
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Oct 1998 10:56:07 +1000
Cc: ietf-pkix@xxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Comments in line

> -----Original Message-----
> From:	Sarbari Gupta [SMTP:sgupta@cygnacom.com]
> Sent:	Tuesday, 13 October 1998 1:29
> To:	'Dwight Arthur'
> Cc:	ietf-pkix@imc.org
> Subject:	RE: NEW Data type for certificate selection ?
> 
> I have been following this thread with great interest. Since the
> thread
> was rekindled, I wanted to offer another usage model that needs a
> slightly different selection criterion. I was not sure whether this
> model was discussed before on this list.
> 
> One of the certificate selection mechanisms in use today is based on
> matching the issuer name. SSL implementations allow this form of
> selection. There is another variant of this model that may also be
> useful. In this variant, the certificate selection is based on a
> prefix
> of the issuer name. For example, the selection may be done based only
> on
> the country name and the organization name components of the issuer
> DN.
> Thus, if a large organization has multiple CAs, the selection criteria
> may logically be "a certificate issued by the organization" instead of
> the more restrictive "a certificate issued by a particular CA within
> the
> organization".  
	[Alan Lloyd]  Being a directory oriented person. I think that
there seems to be a confused line between a function called a CA which
is represented by a directory object (that has certificates),etc and how
CA functions are represented in a directory system.

	An organisation can in fact be a CA simply by adding a CA V2 aux
class to the OC definition of the "organisation" or org untit concerned.

	In fact any directory object can take on the role of a CA
function by adding the aux OC to the entry eg a CA can be a Org person,
a device, an application, a ship, a tank or a kerbside kiosk or
automated ticket machine in a railway station.

	Its the question of how such objects apply a directory
information model (CRLs, root paths, validity indications, etc) and how
the respective client software validates certificates against such
variances and differing application requirements is the issue.. 

	Perhaps the help of directory services and matching rules may
this work?

	regards alan

	   Do the X.500 matching rules support this kind of selection?
This model
> may be useful for SSL connections.  
> 
	[Alan Lloyd]  snip

Follow-Ups:
- RE: NEW Data type for certificate selection ?
  - From: Stephen Kent

Prev by Date: Re: certificate path services [ was RE: NEW Data type for certificate selection ? ]
Next by Date: RE: NEW Data type for certificate selection ?
Previous by thread: RE: NEW Data type for certificate selection ?
Next by thread: RE: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread