Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)

[Michael Ströder <michael@stroeder.com>]

Ken Stillson wrote:
>   On Mon, 1 Apr 2002, David Chadwick wrote:
>
> > All constructive comments welcomed
>
>
>   Although implied by section 3, perhaps it should be stated expectedly:
>
>   "A PKI object should be placed into a LDAP directory such that the LDAP
>    object DN matches the subject DN of the object."
>
>   Although this seems obvious to some, I've run into a surprising number of
>   clients setting up directories using some alternate structure, who are
>   then surprised when validation software can't find certificates given
>   subject DN's.

Ken, for various reasons this old style 1:1 DIT mapping and obtaining the 
certificate chain from a directory never really worked in practice. Maybe in 
some small environments or very specific environments. It also assumes that 
the CA and the LDAP directory are structured and maintained by the same 
authority which is most times not true in e.g. bigger companies.
BTW: Which implementation do exist outside the X.500 world which try to 
obtain the whole certificate chain from a LDAP directory? I do not know a 
single one.

Also think of dc-style naming vs. traditional X521 naming. If you'd like to 
use dc-style naming in your LDAP directory and have that DIT 1:1 in your 
certificate's subject name you will run into many serious interoperability 
problems with PKI enabled software.

Ciao, Michael. (somewhat sick of DIT discussions)