RE: Finding PKIX Servers!

["Kurn, David" <david.kurn@xxxxxxxxxx>]

Bob Jueneman's comments do raise some nice "wouldn't it have been nicer if"
points, but I think he has identified a real need in our efforts to deploy
PKI.  

Ignoring, for the moment, how I obtained Bob's key-encryption cert in the
first place, there are two other places I must go to before I can evaluate
trust.  

1)  I must find the certificate of the issuer (signer) of the certificate
2)  I must find the CRL which covers this cert.

Of course, this is a recursive problem.

Maybe Bob's suggestion should be augmented so that the LDAP service address
(DNS name) for each is specified in all PKI certs.  Call it optional (to
satisfy the purists), but make it painful to omit.

David Kurn
Compaq Computers Corp
Tandem Division


-----Original Message-----
From: Bob Jueneman [mailto:BJUENEMAN@novell.com]
Sent: Tuesday, February 16, 1999 10:56 AM
To: ietf-pkix@imc.org
Subject: RE: Finding PKIX Servers!


On the heat vs. light scale, a lot of the commentary on this thread 
has been well down in the infrared, but with a few flashes of insight.

Let me try to readdress the points I was trying to make.

<---- snip ---->

So I'll say again, wouldn't it be a Good Thing if we could have an optional
attribute
in a certificate that is associated with the Issuer's name somehow, one that
would 
provide the DNS name of an LDAP server that contains the Issuer's
certificate?

At this point in time, I don't care particularly what form the attribute
takes -- it could be
an agreed-upon semantics for DNS name as a form of alternateSubjectName, or
it 
could be some other alternateSubjectName attribute, or some other attribute
entirely.

But is there at least some agreement about the potential utility of this
concept?

Bob

Robert R. Jueneman
Security Architect
Network Security Development
Novell, Inc.
122 East 1700 South
Provo, UT 84606
bjueneman@novell.com
1-801-861-7387