Re: [ldapext] draft-ietf-ldapext-locate

[Leif Johansson <leifj@it.su.se>]

Paul Leach wrote:
> > -----Original Message-----

snip

> In addition, I at least don't know that I understand the PK scenario
> very well.
> If I have a certificate for user with DN "X" in my hands, why do I need
> to locate an LDAP server for DN X? Certainly not to get the cert for
> that user, which seems like the most obvious reason. If I don't have
> such a cert, how did I get the user's DN? Isn't it more likely that I
> know the user's email address and want to get their cert so as to send
> them S/MIME protected email? Also, I know that cert chains contain

I think cert path construction is a better application to think about.
You have the issuer name and need to find the issuer cert. This is a 
real problem but it arises from the fact that most pki applications
have used the issuer and subject DN fields both as "display" names and 
adresses (into a instead of using subjectAltName to locate certificates.

This is a misstake and the current discussion about what meaning to 
assign to DN's in the context of certificates and ldap is a result
of the fact that DN's in ldap are *only* used as adresses whereas DN's
in certificates are both used as addresses (into something -- the global
DIT -- which doesn't even exist) and as a source of displayable user 
information.

	leifj






_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext