RE: Finding PKIX Servers!

[Francois Rousseau <f.rousseau@xxxxxxx>]

Bob,

I agree with the concept you proposed although such an extension will again make each subject's certificate bigger. I think that a new access method under the authority information access extension could probably meet your requirement:

> AuthorityInfoAccessSyntax  ::=
> SEQUENCE SIZE (1..MAX) OF AccessDescription
> AccessDescription  ::=  SEQUENCE {
> accessMethod          OBJECT IDENTIFIER,
> accessLocation        GeneralName  }
> id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
>
> id-ad-repository OBJECT IDENTIFIER ::= { id-ad TBD }
>
> Where this id-ad-repository OID is used to associate an Internet style identity for the location of the repository to retrieve the issuer's certificate in cases where such a location is not related to the issuer's name.

If this access location would happen to change for any reason before certificates using this access method have expired then all these certificates would have to be revoked and reissued unless two different access locations could be maintained during the transition period.

Francois Rousseau
AEPOS Technologies

Bob Jueneman wrote:
[snip]
>So I'll say again, wouldn't it be a Good Thing if we could have an optional attribute
>in a certificate that is associated with the Issuer's name somehow, one that would 
>provide the DNS name of an LDAP server that contains the Issuer's certificate?
>
>At this point in time, I don't care particularly what form the attribute takes -- it could be
>an agreed-upon semantics for DNS name as a form of alternateSubjectName, or it 
>could be some other alternateSubjectName attribute, or some other attribute entirely.
>
>But is there at least some agreement about the potential utility of this concept?
>
>Bob
>
>Robert R. Jueneman
>Security Architect
>Network Security Development
>Novell, Inc.
>122 East 1700 South
>Provo, UT 84606
>bjueneman@novell.com
>1-801-861-7387
>
>