[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A web of directories

To: <david.kurn@xxxxxxxxxx>, <tgindin@xxxxxxxxxx>
Subject: RE: A web of directories
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Mon, 22 Feb 1999 20:15:36 -0700
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

David, the URI/URL concept was exactly what I had in mind.

However, I wanted it to work across multiple protocols, so I didn't think that
specifying the URI in terms of the current string format was the way to
go, as it wouldn't work for DAP or DSP, for example.  

So I fudged it, by saying that the RDN component would be in ASN.1 
format, as would the rest of the DN, but that the client was responsible for
translating the DER encoded DN into whatever format that particular 
protocol required.

This provides the ability to have our cake and eat it too -- we can stay within 
the X.500 name structure, with all of the advantages of strong type 
encoding where required, while still being compatible with LDAP or 
whatever else is required.

I'm not quite sure I understood our point about having a "default" directory
pointer, especially as it pertains to the ambiguity of where Springfield is located.
Maybe you would like to elaborate.

What I had in mind was to provide at least one guaranteed-to-be-found
location where a particular DN is defined, along with the appropriate certificate
content or other payload.  If desired, the user could include in the SET of
directory providers each and every such directory, and let the client software
choose between them based on any criteria it chooses, such as location 
in the same country (based on the DNS suffix), access protocol supported, etc.

Bob


>>> "Kurn, David" <david.kurn@compaq.com> 02/22/99 01:01PM >>>
Bob et al

Nice generalization.  Of course, you have just re-invented a URI (or is it
URL), so why not in general allow the syntax:

 
<name-of-protocol>://<ip-address-and-maybe-portno>/<stuff-interpreted-by-the
-server

as the access to the certificate lookup service.  Obvious candidates are
ldap: http: https:

with "ldap:" probably being the default.

I have a problem with presuming any kind of default directory pointer (in
general) because you have no idea where or who will be using your
certificates.  As a metaphor, consider that I send you a snail-mail message,
and list on the top-left of the envelope a return address like:

  123 First Street
  Springfield

Now, as you may know, there are at least 26 instances of Springfield in the
US, but since you're in Utah, you should assume it means "Springfield Utah"?
Hmmm.... Bad idea.

I have no idea if there's any hope in our lifetime of affecting standards,
but at least the discussion is interesting.

-----Original Message-----
From: Bob Jueneman [mailto:BJUENEMAN@novell.com] 
Sent: Monday, February 22, 1999 11:38 AM
To: Kurn, David; tgindin@us.ibm.com 
Cc: ietf-pkix@imc.org 
Subject: A web of directories

<snip>

Prev by Date: RE: A web of directories
Next by Date: Re: A web of directories
Previous by thread: RE: A web of directories
Next by thread: Re: A web of directories
Index(es):
- Date
- Thread