[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A web of directories - Finding PKIX Servers

To: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Subject: Re: A web of directories - Finding PKIX Servers
From: Andreas Berger <aberger@xxxxxxxxxxxxxxxx>
Date: Thu, 04 Mar 1999 12:47:46 +0100
Cc: david.kurn@xxxxxxxxxx, tgindin@xxxxxxxxxx, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: GMD Darmstadt
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Hello all,

I wrote a similar message about a year ago but it was mostly ignored...

Anyway, it seems that wa all have a problem here.

The problem, in my opinion, is that we simply do not have a global X.500
service deployed (for whatever reason) but we use X.500 identifiers
(DNs) in our systems. So whenever I need the entry for a particular DN,
I have no method to find the server serving this information. X.500
would do this.

The basic lookup processes we have are:

- resolve an eMail address into a certificate for encryption.
- resolve a DN into a certificate (looking up a CA certificate)
- resolve a DN into a CRL (looking up a CA´s CRL)
- find other services (OCSP) based on a DN

I suggest the following:

In order allow independet deployment of PKIX "directoy servers" we
should follow the Mail Model: A company puts a service on the net,
announcing the availiability using DNS. I find it perfectly reasonable
to have my company, GMD in Germany, to offer an external LDAP service
for their employees, under (e.g.) ldap.gmd.de.

The problem now is how to resolve the X.500 DN (O=GMD Forschungszentrum
Informationstechnik GmbH, c=DE) into the DNS domain (gmd.de).

The first method for a user would be to contact any official LDAP
gateway to X.500 and look up the entry for GMD. This may work if GMD has
set up a proper X.500 server. Then two cases exist: GMD has set up only
one entry for its name or it has set up a complete X.500 system. The
second case is easy, it the X.500 model. In the first case, we could
hope that the domain name is contained as an attribute in the X.500
entry.

Now I have a DNS domain name, gmd.de, which could then be queries via
DNS and optionally SRV records (e.g. I can first ask for an SRV record
for a specific protocol that the user´s client understands like LDAP).
If that does not work, the client could try ldap.gmd.de and get the
server´s name.

Now let´s suppose a case where the organization does not have an X.500
entry. One idea would be to use the IssuerAlternativeName to supply the
"root" DNS name inside the certificate. A good solution in my opinion.

Another idea would be to have a special DNS tree assocatiated and look
up the Distinguished name:

e.g. In the case of a non-existent X.500 entry or unavailibility of an
X.500 server AND no DNS name in the alternative name, try to hash the
DER encoded distinguished name, encode it in HEX or BASE64 and look up:

  abcd1234fdea8765abcd1234fdea8765.x500.org

or split the x500 DNS even more, x500.de or de.x500.org to allow a
distributed management. It *IS* a hack, but it may work until we have
X.500 deployed at least for CAs.

The problem of resolving an eMail address can be solved similarily via
SRV records, deriving the domain name from the host address part of the
eMail, a similar technique for the MX records (and also proposed during
LDAP development with the DX record).


Andreas
-- 
Fifty-three percent of Fortune 1000 executives think the
Arch Deluxe is something that helps to run a computer.
-- Jericho Communications

Follow-Ups:
- Re: A web of directories - Finding PKIX Servers
  - From: Marc Jadoul

References:
- A web of directories
  - From: Bob Jueneman

Prev by Date: RE: Cert binding to ?
Next by Date: Re: PKIX Path determination/construction/processing and AKIpointer hanging
Previous by thread: Re: A web of directories
Next by thread: Re: A web of directories - Finding PKIX Servers
Index(es):
- Date
- Thread