[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)

To: Michael Ströder <michael@stroeder.com>
Subject: Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)
From: Ken Stillson <stillson@mitretek.org>
Date: Wed, 3 Apr 2002 10:00:46 -0500 (EST)
Cc: LDAP BIS <ietf-ldapbis@OpenLDAP.org>, PKIX <ietf-pkix@imc.org>
In-reply-to: <3CAAB04A.9080707@stroeder.com>

  On Wed, 3 Apr 2002, Michael Ströder wrote:
> Ken, for various reasons this old style 1:1 DIT mapping and obtaining the
> certificate chain from a directory never really worked in practice. Maybe in
> some small environments or very specific environments.

  As I understand it, this is the approach being taken in the rather large
  effort of the Federal Bridge CA (FBCA).  Perhaps it's not an ideal
  solution, but at the moment, it appears to be the only available solution.

  The problem is that when finding the next certificate in a hierarchical or
  cross-cert chain, validation software might (when AIA and similar
  extensions are not populated) only have the issuer field of the current
  cert in order to find the next certificate.

  (David W. informs me that an outcome of the LDAP PKIX ID will be the
   ability to search for an entry based on its internal cert DN rather than
   ldap-read it from a directory location.  I hadn't caught that; perhaps
   that's the permanent solution.  I'm coming from the point of view of the
   FBCA project which is already well underway and didn't have that
   capability available to rely upon.)

> BTW: Which implementation do exist outside the X.500 world which try to
> obtain the whole certificate chain from a LDAP directory? I do not know a
> single one.

  FBCA is using a combination of chained X.500 directories (with LDAP
  front-ends), and LDAP "meta-directories," essentially a mesh of referral
  systems.

> Also think of dc-style naming vs. traditional X521 naming. If you'd like to
> use dc-style naming in your LDAP directory and have that DIT 1:1 in your
> certificate's subject name you will run into many serious interoperability
> problems with PKI enabled software.

  Well, I guess I would say that if one "would like" dc-style naming, then
  that directory is designed for human interaction (humans "like" things).

  A PKI repository being stood-up for automated certificate retrieval should
  be structured for the ease of retrieval; if one really needs both, and
  they conflict, it wouldn't be too surprising to need two structures;  at
  least two indexing structures (I believe most directory software would
  allow referrals or aliases to provide two DN views to the same objects).

    - Ken

-- 
      |   Ken Stillson             |    stillson@mitretek.org    |
      |   Sr. Principal Engineer   |    voice: (703) 610-2965    |
      |   Mitretek Systems         |      fax: (703) 610-2984    |

References:
- Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)
Next by Date: Re: LDAP Certificate transfer syntax
Index(es):
- Chronological
- Thread