The draft minutes from the IETF 57 PKIX WG meeting say: > LDAP Documents: - David Chadwick (Univ of Salford) & Peter Gietz > (DAASI) > The WG has a suite of LDAP-PKIX drafts forming a comprehensive > solution for LDAP based PKI information distribution. I believe that the PK certificate schema is described in draft-klasen-ldap-x509certificate-schema-03.txt. That document (and the CRL and AC schemas) proposes a change from storing certificates in the multi-valued userCertificate and cACertificate attributes of an entity's directory entry to storing certificates as separate directory entries, subordinate to the entity's directory entry. Values may then be extracted from certificate fields and placed in attributes on the certificate's directory entry so that it's easier to search for certificates and retrieve only those you want. At IETF 56, there was a discussion about whether to make this change or stick with the current schema and use component matching to solve the problem. As noted in the meeting minutes, a straw poll favored component matching but it was agreed to take this discussion to the mailing list. I haven't seen any discussion on the mailing list, but now it seems that the matter has been decided in favor of the modified schema. Did I miss something? Was this discussed and agreed to on the mailing list? If not, it should be discussed here. I would like to hear from customers who are using the old schema as to whether they will be happy moving to the new schema. I'm concerned that they may be reluctant to double or triple the number of entries in their directory. Thanks, Steve Hanna
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature