RE: NEW Data type for certificate selection ?

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

Stephen, naturally a directory cannot develop key sets, but many of the
customised database being promoted by CAs should be supported by
directory services - otherwise its a proprietary solution with all the
issues of limited scaling all built in. Plus the fact that directories
provide a uniform authentication and access control regime , and
distribution, makes life much mor sensible for those deploying CAs. 
As for verification, the engineering approach with CAs re CRLs and
complex clients, etc, etc and domain agile requirements just means that
a wide scale, distributed  infrastructure, lightweight client, domain
agile device should be taken. 
I accept that single domain, complex clients and bespoke validation
paths may server highly trusted or dedicated enclaves, but there are
other CA areas that need more of an operational and service based
approach.

Adding validation supporting matching rules to directories and/or adding
directory enabled cert validation processes strikes me as the way to go.
I just cannot see how thin, domain agile client software and the system
scaling issues can be dealt with any other way.

But I am open to ideas.

regards alan

> -----Original Message-----
> From:	Stephen Kent [SMTP:kent@bbn.com]
> Sent:	Tuesday, 20 October 1998 9:15
> To:	Alan Lloyd
> Cc:	ietf-pkix@imc.org
> Subject:	RE: NEW Data type for certificate selection ?
> 
> Alan,
> 
> I can appreciate the directory perspective of "CA-ness" but I don't
> think
> that captures all of the issues being raised here.  CAs exist
> independent
> of directories, so many aspects of a CA may not be captured by by a
> purely
> directory-centric view.  Still, to the extent that folks look to
> directories to help with cert selection, it's good to keep in mind
> what
> features a directory can offer to help in addressing this problem.
> 
> steve