Certdist draft 4 is an improvement over draft 3, in that it allows
CAs (not just End Entities) to sign the SMimeCertificatePublish object
and it allows End Entity certificates to be published in the userCertificate
attribute in lieu of the proposed userSmimeCertificate attribute.
However, it is still not clear what certificate publishing problem
certdist is trying to solve.
Section 2 says:
"LDAP currently has the userCertificate property [attribute? -- dpk]
defined for just that purpose. ... While some directories, such as
X.500 directories, provide for a directory entry to contain the CA
certificate, this is not the case for all directories."
Since LDAP directories have both user and CA certificate attributes,
and LDAP is the Internet mechanism of choice for publishing and retrieving
certificates, it would seem that a draft which proposes an alternative
cert publishing mechanism as an Internet Standard would have a high
burden of proof to justify the duplication. The IESG is relatively
strict in discouraging the definition of overlapping mechanisms.
The draft should cite at least one example of an Internet directory
which:
1) is used to distribute certificates,
2) could be modified to include the proposed userSmimeCertificate attribute, and
3) could not be modified to contain the standard caCertificate attribute.
If such a directory exists, and needs to be accommodated in an Internet
Standard, I propose that the following be added to section 4.3, which
subsumes the LDAP-specific wording currently in section 4.5:
4.3 CertificateSet
If the SMimeCertificatePublish object is published in the LDAP
userSmimeCertificate attribute, the SignedData->certificates field
of the object MUST be absent. If the SMimeCertificatePublish object
is distributed by other means, this draft imposes additional
restrictions ...
This would ensure that LDAP directories only have to store one copy of
user and CA certificates in the standard user- and CA-certificate
attributes, instead of duplicating user certificates in two attributes
and maintaining duplicate copies of CA certificates for every user. In
LDAP directories, userSmimeCertificate would thus contain only the
signed attributes; the eContent and CertificateSet fields would be empty.
Dave Kemp
Announcing S/MIME Working Group Last Call.
Title : Certificate Distribution Specification
Author(s) : J. Schaad
Filename : draft-ietf-smime-certdist-04.txt
Pages : 20
Date : 21-Oct-99
Current methods of publishing certificates in directory services are
restricted to just certificates. This document provides a method of
publishing certificates with secondary support information such as
the SMimeCapabilities attribute (containing bulk algorithm support)
in a way that is both authenticated and bound to a given
certificate.
Working Group Last Call will close after the IETF meeting. It will close
on 14 November.
S/MIME WG Chair,
Russ