Re: A web of directories

["Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>]

Rich, what I'm trying to do is to find a way to make directories work,
given the fact that at present there is no reliable, overarching
directory, yet there are hundreds of thousands if not millions 
of corporate directories installed and running.

The problem is that since those have been installed primarily for 
internal corporate use, there is no way of knowing where they are,
even if the directory owner has installed a partial replica on the outside
of the firewall where it would be accessible.

At present, of course, random DNs hardly show up at all, because
the existing protocols, recognizing that richly interconnected 
directories don't exist, send the entire certificate chain down the path
every time, whether they are needed or not. This is true of SET, it's 
true of SSL, and it's true of S/MIME.  This type of unnecessary 
"push" distribution is extraordinarily wasteful of bandwidth  -- you 
say "Hello, world" and get another 1 to 5K of unnecessary baggage.

But this is a chicken and egg problem -- we can't expect the protocols to
stop doing that until there is a workable alternative.

Bob

>>> Rich Salz <salzr@certco.com> 02/22/99 09:11PM >>>
Is it really that common to get a random, unknown DN and expect to
do something useful with it?  Is it so common that it's worth
defining an AIA-style name/attribute component?

How often do you expect to receive a random DN without the associated
cert?  And when you get them, what are you expecting to do with them?

Sure seems a lot easier to say "send the cert"
	/r$