Re: I-D ACTION:draft-salzr-ldap-repsig-00.txt

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

Rich,

Why can't you use the mechanisms defined in RFC 2649 as a basis for this?
Your proposal seems remarkably similar to the definitions in RFC 2649.

Bruce

At 06:43 AM 5/2/2000 -0400, Internet-Drafts@ietf.org wrote:
>A New Internet-Draft is available from the on-line Internet-Drafts
directories.
>
>
>	Title		: LDAP Controls for Reply Signatures
>	Author(s)	: R. Salz
>	Filename	: draft-salzr-ldap-repsig-00.txt
>	Pages		: 8
>	Date		: 01-May-00
>	
>In many environments the final step of certificate issuance is 
>publishing the certificate to a repository. Unfortunately, there 
>is no way for a Certification Authority (CA) to have a secure 
>application-level acknowledgement that the proper repository 
>did, in fact, receive the certificate. This issue is of greater 
>concern when considering the publication of Certificate 
>Revocation Lists (CRLs) -- if an adversary manages to interpose 
>itself between the CA and its intended repository, then clients 
>could end up relying on outdated revocation lists.
>This document defines a set of controls so that an LDAP client, 
>such as a CA, can receive a cryptographically secure 
>acknowledgement that an LDAP server has received a request, and 
>that the integrity of the server's reply has not been 
>compromised.
>  

==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com
Sign up for our LDAP Technical Overview Seminar at:
http://www.acteva.com/go/dtasi