[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Finding PKIX Servers!

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Finding PKIX Servers!
From: "Phillip M Hallam-Baker" <pbaker@xxxxxxxxxxxx>
Date: Wed, 10 Feb 1999 16:02:35 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

> I'm at a loss to understand Phill's suggestion to use DNS SRV records
> (instead of just putting the CA's URL in the cert itself), and Alan
> Lloyd's suggestion that putting a URL in a cert would require an
> army of administrators.  Running a directory tightly coupled to
> the security management infrastructure requires the army; running
> a loosely coupled directory/repository named in a URL is easier.

The URL in the cert method is fine but some folk have a problem. For example
the revocation service may be other than the CA originally specified. It may
not be possible to access the URL specified in the Cert when the time comes
to rely on it.

My interpretation of Alan's post was that he is proposing much more.
He wants to weld the PKI to the directory so that if the Directory is
down it is certain the PKI will be as well. This is the 'directory
dependent' model of PKI, I don't like that idea.


The 'directory linked' approach I believe is sensible uses the directory,
but only for purposes that are a good fit - i.e. locating parties -
One problem is how you obtain the cert in the first place given that
you probably are looking for a Cert which maps to fred@xyz.org so you can
do email. URLs in the cert don't help in this case :-)

According to Alan you go to the Global X.500 directory system and
perform a lookup. This approach only has three problems, first no such
directory exists, second if it did it might get tiresome doing a search of
the entire directory space for an entry with the right attribute, third
X.500 is only standardized over the OSI network stack and not over IP,
LDAP does not include the replication protocols being promoted as the basis
for the 'global scalability' claim.


In conclusion I really don't know why we need the argument. We have
established a function for directories in PKIX that makes sense. We
have revocation mechanisms which make sense. I don't know why we need
to conflate revocation of authentication credentials and the directory.
Authorization credentials might be another matter, but those are not
currently in PKIX scope.

		Phill

References:
- RE: Finding PKIX Servers!
  - From: David P. Kemp

Prev by Date: RE: Usage of CRL Issuing Distribution Point
Next by Date: RE: Finding PKIX Servers!
Previous by thread: RE: Finding PKIX Servers!
Next by thread: Re: Finding PKIX Servers!
Index(es):
- Date
- Thread