Re: Finding PKIX Servers!

["Peter Williams" <peterw@xxxxxxxxxxxx>]

-----Original Message-----
From: David P. Kemp <dpkemp@missi.ncsc.mil>
To: ietf-pkix@imc.org <ietf-pkix@imc.org>
Date: Wednesday, February 10, 1999 9:52 AM
Subject: RE: Finding PKIX Servers!
 
>Similarly, the PKIX community should require that any proposal for
>a standardized cert retrieval mechanism enable a similar separation
>between CAs and repositories.  A repository can have one or more
>names; it doesn't matter whether they are in the DNS space or the
>X.500 space except that: 1) names registered under DNS are global
>today, and 2) if you are going to use the Internet to move data
>around, you have to wind up with an IP address for the repository
>at some point.  Mapping X.500 names to IP addresses involves
>either creating a separate infrastructure parallel to DNS, or using
>a three step lookup: X.500 name -> DNS name -> IP address.


PKIX already enables any deployment to separate CAs from
Repository agents. Today, a VeriSign Certificate can contain
a URL to a ValiCert OCSP responder. Or not. Similarly,
the same certificate can implicitly point a user to
the formal notice Repository (VeriSign Repository) or
explicitly point to one managed by the US Dept. of Defense.

I do not believe we need to first standardize a global name server 
infrastructure to enable PKIX to succeed. Nor should we
make a conformance condition hinge on the requirement
for PKIX conformance-claiming software to deal with
name servers. Of course it should be an option for
those making integrated PKI/Directory/URN solutions,
particularly in the corporate LAN world of NDS and 
ActiveDirectory.

 Peter.