ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cert Attributes in CERTDIST

1999-10-11 12:44:47
from [Jim Schaad (Exchange)] [Permanent Link] 
I do know that current clients exist in the market who only look at one
element (mine for one), however I don't believe that this should stand in
the way of creating a "correct" standard.

I agree that it makes sense to allow for the EE certificate to be optional
if it exists in the userCertificates property.  I think that the chain
certificates can be optional if 

-----Original Message-----
From: Walter Williams [mailto:walter(_dot_)williams(_at_)gte(_dot_)com]
Sent: Sunday, September 12, 1999 7:30 PM
To: Russ Housley; jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com
Cc: wpolk(_at_)nist(_dot_)gov; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Cert Attributes in CERTDIST


Russ,

One thought here is backwards compatability of existing s/mime aware
clients.  Some may have been written to check for the cert in only one of
the available attributes.  You don't want to change the directory in a way
which prevents an older client from seeing the certificate. (might though
give vendors a thrill to have to say: so sorry, but due to a standard change
we must force you to upgrade to support s/mime again)  Certificates are also
not very large (compaired with a .jpg picture of the directory entrant as a
comparitive example) and so the data bloat does not waste much drive space.
Of course, if all available clients look in both places, my statement is
pretty much a waste of good bandwidth.

Walt Williams
GTE Internetworking

-----Original Message-----
From: owner-ietf-smime(_at_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)imc(_dot_)org]On
Behalf Of Russ Housley
Sent: Sunday, September 12, 1999 12:35 PM
To: jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com
Cc: wpolk(_at_)nist(_dot_)gov; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Cert Attributes in CERTDIST


Jim:

I must agree with many of the points that Dave Kemp made.  Is it worth
putting multiple copies of the same certificate into the Directory?  This
can lean to inconsistincies.

Maybe it would be better to follow the PKIX LDAP Schema and add an
S/MIME-specific attribute too the directory entry.  The binding you seek
could be achieved by putting a reference to a specific certificate that is
available in the userCertificate attribute inside the S/MIME-specific
attribute.

Thoughts?

Russ
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Cert Attributes in CERTDIST, Jim Schaad (Exchange)
Next by Date:  RE: Cert Attributes in CERTDIST, Jim Schaad (Exchange)
Previous by Thread:  RE: Cert Attributes in CERTDIST, Jim Schaad (Exchange)
Next by Thread:  RE: Cert Attributes in CERTDIST, Jim Schaad (Exchange)
Indexes:  [Date] [Thread] [Top] [All Lists]