[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A web of directories

To: <kent@xxxxxxx>, <hannu.nikkanen@xxxxxx>, <larry@xxxxxxx>
Subject: RE: A web of directories
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 25 Feb 1999 15:21:59 -0700
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hannu,

I agree.  And just because you use one or more e-mail providers doesn't 
necessarily that they provide directory services.

Regardless of which e-mail (or sneaker-net mail) provider is used, you 
would like to be able to point to at least one directory, no matter where 
it resides or who it is affiliated with.

I agree with Steve that the Authority Information Access extension could 
be used for this purpose, although the wording at present suggests that it 
is associated with the Issuer, with no way to look up something associated 
with the Subject.  I assume that could be fixed, if necessary.

(So if I receive a signature-only certificate from someone via S/MIME, 
I still don't know and can't find an encryption key for that user in order to 
respond to him.  That is, unless I look up the Subject's certificate by 
Issuer and serial number and then prowl around in the CA's directory. But 
this implies that the CA is obligated to maintain a directory containing 
all of the Subject certificates, and the CA might not want to do that
or might charge too much.)

I'd still like to find a way of associating this information with the DN itself, so 
it would not require access to the certificate, which may be what we are 
trying to find.

It could easily be done for a single LDAP URL, but I don't want to necessarily 
restrict the directory reference to a single protocol, nor for that matter to a single 
directory supplier.

So I'm thinking about a "Generic Access Protocol" type of URL -- one that 
would identify the directory supplier by a DNS name. Then perhaps DNS could
 then advertise what protocols that directory supports, and what the port number 
is.

Because I don't want to force fit any particular protocol, this "GAP" URL would
consist of a header or prefix, followed by a string of DER-encoded RDNs, i.e.,
the "real" DN as God and X.500 intended. :-)  The client, e.g., a browser,
would be responsible for translating the "GAP" protocol into one that is supported
by that directory, and for example might translate from RDN into an LDAP 
string-type of URL.

I'm in the middle of several hot projects right now and don't have time to think 
about this much more at this time, so I would welcome anyone else trying to 
move the ball forward.

How real is the SRV capability of DNS, and how widely is it used?

Bob

>>> Hannu Nikkanen <hannu.nikkanen@hpy.fi> 02/24/99 11:05PM >>>
Larry, Steve, Bob

there may be more real life complications, I'm actually using four e-mail
accounts (wich have separate DNS servers):

- department level mainly in the office;
- corporation level (special services);
- local ISP from home,
- HotMail, when using somebody else's PC.

I have no strict role division between the addresses so my eMail address
may jump even from one continent to the other just depending the way, I get
connected. Correlating the eMail address with one or more (work, personal,
..) LDAP directories would be difficult.

Hannu

At 12:24 24.2.1999 -0500, Stephen Kent wrote:
>Larry,
>
>>For e-mail certificates, can't you use the domain from
>>the internet e-mail address to point you to a DNS server
>>And can't that in turn point you to the correct LDAP directory.
>
>One can certainly look up the user's DNS server based on e-mail address,
>but we don't have a record format in the DNS that points to an LDAP
>directory as a result.  One could define such a record type, though.
>
>Steve

Prev by Date: RE: A web of directories
Next by Date: NIST Reference Implementation available
Previous by thread: RE: A web of directories
Next by thread: RE: A web of directories
Index(es):
- Date
- Thread