[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Finding PKIX Servers!

To: <ietf-pkix@xxxxxxx>, "Tammy Carter" <TCARTER.PRV-7.PROVO@xxxxxxxxxx>, <AndrewP@xxxxxxxxxxxx>
Subject: Re: Finding PKIX Servers!
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 04 Feb 1999 17:06:36 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Andrew,

[snip]
> 
	[Andrew Probert]  Yep.. I agree that an extension could be used
because the current extension is a Uniform Resource Locator, which
constrains the reference to a WWW style protocol http://, ftp://, (and even
ldap://).  This current extension presupposes / forces certificate
validation paths into the infrastructure of URN/DNS/IP/ARP resolution and
protocols.

	Alternatively, when I already have the IssuerDistinguishedName, if
there was actually a PKIX naming resolution protocol in place I can simply
look this up to find the servers.   The result of my lookup should be an
information object telling me the supported protocol(s) and services of that
CA.  

	I suggest that X.500/DSP is stable and mature for online relay of
queries.  X.500/DISP addresses some replication / caching issues.  The
protocol is already certficate / crypto aware.  It can be accessed by
front-end protocols of LDAP, DAP and Web/LDAP gateways.

[RRJ]  Ok, I think we are getting somewhere.

But...

Suppose the relying party is the legendary little old lady in Dubuque.  
All she wants to do is be sure that amazon.com is really who they say they 
are.  Let's imagine that she has an LDAP client available through her generic 
browser -- what does she do?

She is knowledgeable enough to check the certificate for Amazon before 
placing an order, and finds that there is one, but being a little suspicious, 
decides to check on who issued it, and clicks on "Issuer".  Yup, there it is,
     US
     "RSA Data Security, Inc."
     Secure Server Certification Authority

Great! Now her LDAP server knows exactly where to go (assuming that this was 
the next certificate in the chain, and not the root.)  Go to the US, and search for 
RSA Data Security, Inc. in the US's X.500 directory!  Maybe, just maybe, it will tell
you what the DNS name, port number, etc., are that LDAP would have to use to 
do anything.

Does she have to be preconfigured with the LDAP server address of her ISP or portal?
What if the Issuer is not a well-known public CA, but the Pasadena Ladies Garden
Club,  which hands out certificates to the members once a year, and then shuts down
the server.

All the members of the Garden Club know that they use an external repository to maintain
their CRL list, but how does the LOLFD know that?  Or even AOL?

The more I think about it, the more I like the idea of including a URL for the issuer's
directory in the certificate itself.

Bob

Prev by Date: RE: Attribute used to store cached certificate chains?
Next by Date: RE: Attribute used to store cached certificate chains?
Previous by thread: Finding PKIX Servers!
Next by thread: RE: Finding PKIX Servers!
Index(es):
- Date
- Thread