[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Finding PKIX Servers!

To: "Alan Lloyd" <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, "'Bob Jueneman'" <BJUENEMAN@xxxxxxxxxx>, <ietf-pkix@xxxxxxx>, "Tammy Carter" <TCARTER.PRV-7.PROVO@xxxxxxxxxx>, <AndrewP@xxxxxxxxxxxx>
Subject: RE: Finding PKIX Servers!
From: "Phillip M Hallam-Baker" <pbaker@xxxxxxxxxxxx>
Date: Fri, 5 Feb 1999 12:41:45 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

This discussion starts to sound as if it not about PKIX, or even
directories. The real agenda appears to be resurrecting OSI, or at the
very least attempting to promote the version of history in which OSI
failed for purely political reasons.

This discussion really has nothing to do with the design of PKIX and
is ultimately counter-productive since many lurkers following the 
discussion will have recieved a very negative opinion concerning
X.500 and interpreted this to mean that directories generally are out
of favour and not as is the case certain (rather eccentric) applications
thereof.

Any chance this discussion can be taken up on pki@flat-earth.org?

> 	No all one needs is a "port" on a directory service 

You do not just need a port on any old directory service, it has to be 
a global NAME service with naming consistency. Furthermore to be usefull 
in the proposed application it has to tie to the numbering infrastructure 
of the Internet.

X.500 satisfies neither condition. It is a directory and NOT, repeat NOT
a name sytem at this point. X.500 was originally intended to provide a
name service but grew into something different.

Suggesting widespread deployment of X.500/DSP ignores the fact that the
lower level OSI protocols are an abject failPure at this point. The rate
of deployment is actually negative at this point. The world does not
require a directory replication protocol for replication of a name space.

DNS is widely deployed on a global scale, DST ain't. If it were 
necessary to redesign DNS I would not consider DST as a substitute.
There is no evidence that DST is more scalable than DNS and plenty
of reason to believe it to be less scalable - DNS has the advantage
of applying highly domain specific optimizations which a general
purpose directory system cannot. Nor is the approach taken by OSI
particularly different in structure so as to make me believe it to
be capable of greater scalability.


The solution to finding PKIX servers is very simple. Write a profile
which defines what information a 'PKIX server' must provide via a
specific transport. Advertise a PKIX server providing information 
corresponding to the xyz.net domain via an SRV record of the form
__pkix._ldap._tcp.xyz.net.


A directory service is not a name service. Failure to understand
this was the principle reason for the technical failure of OSI. We
should not make the same mistake.


		Phill

References:
- RE: Finding PKIX Servers!
  - From: Alan Lloyd

Prev by Date: I-D ACTION:draft-ietf-pkix-qc-00.txt
Next by Date: RE: Attribute used to store cached certificate chains?
Previous by thread: RE: Finding PKIX Servers!
Next by thread: RE: Finding PKIX Servers!
Index(es):
- Date
- Thread