[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05. txt)
Ken,
I don't find this at all obvious. Apparently, some company creates
certificates with an email address in the subject DN. This would be horrible
to have to implement in a DIT. (I think the approved method of finding the
principal in this case is to search for an entry where the mail attribute
has this address as a value.)
There is also the case where the same identity has multiple cdrtificates.
Ron.
-----Original Message-----
From: Ken Stillson [mailto:stillson@mitretek.org]
Sent: Wednesday, 3 April 2002 6:53
To: David Chadwick
Cc: LDAP BIS; PKIX
Subject: Re: LDAP Certificate transfer syntax
(draft-ietf-pkix-ldap-v3-05.txt)
On Mon, 1 Apr 2002, David Chadwick wrote:
> All constructive comments welcomed
Hi David-
A thought for the you...
Although implied by section 3, perhaps it should be stated expectedly:
"A PKI object should be placed into a LDAP directory such that the LDAP
object DN matches the subject DN of the object."
Although this seems obvious to some, I've run into a surprising number of
clients setting up directories using some alternate structure, who are
then surprised when validation software can't find certificates given
subject DN's.
- Ken Stillson
--
| Ken Stillson | stillson@mitretek.org |
| Sr. Principal Engineer | voice: (703) 610-2965 |
| Mitretek Systems | fax: (703) 610-2984 |