RE: NEW Data type for certificate selection ?

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

Comments in line.

snip - disagree with some but:


I don't want to debate LDAP issues; this is a PKI list. Your e-mail
address
suggests that you may work for a company that believes directories are
the
solution to lots of problems.  Personally, I don't share that belief,
but
the more central issues is that I'd like us to not confuse the current
definition of directory services, as defined in X.500 and LDAP, with
some
possible future set of cert validation services.  About 5 years ago we
developed such a service as part of a DARPA program; it validated certs
that a client could not validate because of algorithm incompatability or
similar constraints.  Been there, done that.  However, the better use of
the service was to collect certs and CRLs for the client and deliver
them
in a form to simplify client cert path validation.  That's not an
unreasonable service, but it's a far cry fro asking a third party to do
the
validation for you.


I have answered some of this in another email.. But why is it that there
is little discussion about trust that includes cert validation services,
stability of software or formal information models for PKIs (not just
object definitions and usage? Or discussion that deals with the fact
that trust is derived from sound scaleable system design and
implementation qualitative features (not theoretical objects in an
abstract system)... and that from the real world perspective we must
operationally deal with multiple CA domains and domain agile devices,
etc, etc from different vendors. In addition the "scale" issues do not
get discussed. ie we seem to ignore the issues re 100s of millions of
users that work under dozens of business domains with many certficates
each.... 

IMHO the only way of dealing with this validation and scaling issue from
a system and information perspective is through a distributed directory
service THAT provides the User and Service information ON WHICH
certficates are placed. AND that CAs and validation functions are
processes that are supported by such distributed object oriented, name
based transaction systems and infrastructure.
Labeling things as third party in this model is also incorrect, the
validation service which is directory attached can be ownwd and trusted
by the CA itself. ie is a third party "label" applied mabove a
functional label or an operational label or an implementation quality
label?


In not sharing my belief re directories are the distributed information
systems for supporting global services - can you enlighten me on how you
would deploy a multi domain CA infrastructure in todays world that
enable single point of authentication (information) for users, simple
client software, and how one can deal with such information over a
distributed global area for 100s of Ms of Users, etc.

By not putting the correct perspective on directories in support of
distributed information functions like CAs - all one is doing is
building islands of mechanisms.

eg its like developing lots of customised PABXs.

Is "trust" relying that a service works and is globally scaleable (eg.
the phone system) eg. The Internet is slow .. I will ring the ISP on the
phone system because I know that always works.
or is trust some theory about abstract objects placed in an abstract
security policy on a yet to be defined unscaleable implementation.?

just views and regards alan 

Steve