[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW:Resend PKIX LDAPv3 schema: component matching or separate ent ries

To: "Steve Hanna (E-mail)" <steve.hanna@sun.com>, "pkix (E-mail)" <ietf-pkix@imc.org>, "'ietf-ldapbis@OpenLDAP.org'" <ietf-ldapbis@OpenLDAP.org>
Subject: FW:Resend PKIX LDAPv3 schema: component matching or separate ent ries
From: Sharon Boeyen <sharon.boeyen@entrust.com>
Date: Thu, 7 Aug 2003 10:33:07 -0400


Steve I certainly share your concerns. I don't believe existing 
deployed systems will modify their schema. They are working just 
fine the way they are and have no reason to change. Also, from 
an interoperability standpoint I expect great reluctance to move 
to the schema in real world deployments that need to interop with 
existing ones using the old schema.

Sharon

-----Original Message-----
From: Steve Hanna [mailto:steve.hanna@sun.com]
Sent: Tuesday, August 05, 2003 3:21 PM
To: PKIX List; ietf-ldapbis@OpenLDAP.org
Subject: PKIX LDAPv3 schema: component matching or separate entries


The draft minutes from the IETF 57 PKIX WG meeting say:

> LDAP Documents: - David Chadwick (Univ of Salford) & Peter Gietz
>                (DAASI)
> The WG has a suite of LDAP-PKIX drafts forming a comprehensive
> solution for LDAP based PKI information distribution.

I believe that the PK certificate schema is described in
draft-klasen-ldap-x509certificate-schema-03.txt.

That document (and the CRL and AC schemas) proposes a
change from storing certificates in the multi-valued
userCertificate and cACertificate attributes of an
entity's directory entry to storing certificates as
separate directory entries, subordinate to the entity's
directory entry. Values may then be extracted from
certificate fields and placed in attributes on the
certificate's directory entry so that it's easier to
search for certificates and retrieve only those you want.

At IETF 56, there was a discussion about whether to make
this change or stick with the current schema and use
component matching to solve the problem. As noted in the
meeting minutes, a straw poll favored component matching
but it was agreed to take this discussion to the mailing
list. I haven't seen any discussion on the mailing list,
but now it seems that the matter has been decided in favor
of the modified schema.

Did I miss something? Was this discussed and agreed to on
the mailing list? If not, it should be discussed here.

I would like to hear from customers who are using the old
schema as to whether they will be happy moving to the new
schema. I'm concerned that they may be reluctant to double
or triple the number of entries in their directory.

Thanks,

Steve Hanna

Prev by Date: RE: PKIX LDAPv3 schema: component matching or separate entries
Next by Date: draft ldapbis meeting notes, IETF 57, Vienna
Index(es):
- Chronological
- Thread