Jim,
From the perspective of a PKI serving an audience wider than just S/MIME,
it would be helpful if the information concerning a user is stored in a
canonical form, so that when an application asks a question ("what certs
apply to joe(_at_)hotmail(_dot_)com"), it gets a consistent answer regardless
of where
the question is asked and which application is doing the asking.
If user certs are stored in a special S/MIME attribute, it makes them less
accessible to other applications. They could be stored twice, but that
raises the issue of keeping the attributes in sync.
Would it be possible to both achieve the objectives of certdist AND
minimize unnecessary data denormalization in "the directory" by stating
that the certdist CertificateSet MUST NOT contain any certificates?
Instead, a pointer (SEQUENCE OF ESSCertID, similar to the
SigningCertificate attribute) to the certs would be stored in the
certdist signed attributes along with the three other required
attributes.
I don't object to a directory attribute containing S/MIME-specific data
bound to the user, but I do believe that that attribute should not
duplicate data contained in the standard directory attributes.
Dave Kemp
From: "Jim Schaad (Exchange)" <jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com>
That is one of the issues. The reasons why this field is not used are as
follows:
1. userCertificate holds X509 certificates for the use (there may be more
than one) and what we are publishing is a SignedData object not an X509
certificate.
2. We want to include additional attributes which also are not certificates
and bind them together with the certificate in a cryptographic manner. (The
main attributes being encryption algorithms and a publishing time.)
jim
-----Original Message-----
From: Blake Ramsdell [mailto:BlakeR(_at_)deming(_dot_)com]
Sent: Thursday, July 22, 1999 2:23 PM
To: 'Sean Turner'; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Cert Attributes in CERTDIST
-----Original Message-----
From: Sean Turner [mailto:turners(_at_)ieca(_dot_)com]
Sent: Thursday, July 22, 1999 2:31 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Cert Attributes in CERTDIST
I'm sorry if I'm coming at this a bit late, but why are the attributes
that are used to store signature and encryption certificates not
userCertificate as defined in the LDAP schema RFC from PKIX?
I think that the problem is because userCertificate refers to exactly one
certificate. In order to put in a certificate chain, along with the S/MIME
capabilities of the certificate holder, a new convention must be used.
I may have some of this wrong, so anyone feel free to correct me.
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 376 0225 x103 Fax +1 425 376 0915