[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificates, Directories, and Distinguished Names

To: "'Bob Jueneman '" <BJUENEMAN@xxxxxxxxxx>, "'Stephen Kent '" <kent@xxxxxxx>
Subject: RE: Certificates, Directories, and Distinguished Names
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 27 Mar 1999 18:36:49 +1000
Cc: "'H.Kesterson@xxxxxxxxxxxxx '" <H.Kesterson@xxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'list@xxxxxxxxxxxxxxxxx '" <list@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Well - this seems to highlight a problem if the name form isnt a DN and
the entity is not in a directory. 

The intent of 500/509 was that CAs are a directory entry - as per
subjects.
Attached to these entries are contact details etc - just in case of
things going wrong.

I am not to sure what going to a DNS based name does does in terms of
process - eg. validation process or things that use certificates - can
someone please enlighten me.

ie. if there are problems with Issuer DN (ie its an SMTP address in the
extensions) and I am in the process of path validation - do I mail the
Issuer with something?

What about CRLs - are they attached to these DNS indexed things.

I understand that AIAs are useful as they deal with explicit a cert
based function such as OCSP.
I just dont understand the process (that must be related to the
certficate) if DNS type names are used for issuers, etc.

In addition - if one mixed name forms in a cert path - the process rules
can get messy. eg mail here, ldap there, OCSP over there, etc 

please advise
regards alan




----------
From: Stephen Kent
To: Bob Jueneman
Cc: H.Kesterson@az05.bull.com; ietf-pkix@imc.org; list@seis.nc-forum.com
Sent: 3/22/99 11:43:07 AM
Subject: Re: Certificates, Directories, and Distinguished Names

Bob,

>Because of the potential impact on evolving software, I'd like
>to escalate this issue to the PKIX co-chairs, Steve Kent and
>Warwick Ford, and to the chair of X.509, Hoyt Kesterson,
>in order to force a expeditious resolution to this issue.

We live but to serve as arbiters in such disputes :-).

>One of these name forms, at least, ought to be usable to
>retrieve a certificate from a directory, whereas the others,
>although potentially candidates for inclusion in a directory,
>may not represent a real directory entry but may be for
>display purposes to RP software, or for other application
>purposes.
>
>I believe that it is extremely important that at least one of the
>multiple name forms that may be carried in a directory reflect
>the primary directory name used to store and retrieve such
>certificates.  If I start searching a directory, I don't want to
>have to try every name in a certificate looking for other, related
>certificates.

I tend to agree that it would be good if at least one subject name could
be
used for directory lookup.  But, we have multiple directory options in
the
Internet.  If the subject name is present, it's a DN and might be
appropriate for lookup in an X.500 directory.  But, if that DN is made
up
DC attribuites, maybe it's really destined to be looked up in the DNS.
Also, if the subject name is NULL and an altName is present, that name
might be a DNS name, an RFC822 name, or an IP address, all of which are
suitable for lookup in the DNS.  So, if you are willing to allow for
both
X.500 and DNS directory lookups, it would seem that we have lots of
options
here.  I'll leave it to Hoyt to tell me where to lookup EDI party names
:-).


Steve

Follow-Ups:
- RE: Certificates, Directories, and Distinguished Names
  - From: Stephen Kent

Prev by Date: Conclusion - Biometric inclusion in QC
Next by Date: Time-stamp server. TimePrecision info
Previous by thread: Re: Certificates, Directories, and Distinguished Names
Next by thread: RE: Certificates, Directories, and Distinguished Names
Index(es):
- Date
- Thread