ietf-smime
[Top] [All Lists]

RE: Border directories

2000-05-12 02:41:32
Peter, 

I am with Walter on this one, whether LDAP is implemented at the client or
at the server you are going to need it in their somewhere, certificates are
stored in a directory that exposes its data via LDAP and some form of LDAP
interface will be required between the Directory and web server. Yes you can
use HTTP to retrieve certificates but this is not the way the market has
gone, all of the major SMIME clients available on the market today will
retrieve certificates using the LDAP protocol quickly and efficiently, off
course this has the added advantage that all directories should support
LDAP, not all companies that you will communicate with will have tied their
directory to a web server.

Stuart Ross
-----Original Message-----
From: pgut001(_at_)cs(_dot_)aucKland(_dot_)ac(_dot_)nz 
[mailto:pgut001(_at_)cs(_dot_)aucKland(_dot_)ac(_dot_)nz]
Sent: Friday, May 12, 2000 7:06 AM
To: ietf-smime(_at_)imc(_dot_)org; pbaker(_at_)verisign(_dot_)com; 
walter(_dot_)williams(_at_)genuity(_dot_)com
Subject: RE: Border directories


"Walter Williams" <walter(_dot_)williams(_at_)genuity(_dot_)com> writes:

The major problem I see with using HTML is the need for the email client to
retrieve the public key.  They are designed to do this over LDAP.  Not all
email clients are integrated with a HTML reader.  The LDAP query is not
significant overhead and checks for public key data very transparently.

Uhh... anything which can talk TCP/IP can do an HTML GET in about 10 lines
of code and about 5 minutes of work.  When used as a cert-grabbing
mechanism,
I'd estimate that LDAP has about four orders of magnitude more overhead (in
terms of code complexity) than HTML (probably more like five or six, going
by the size of LDAP binaries).  I'm not sure what the performance overhead
is 
but I can imagine that'd also be vastly higher.

Given that in the end all you're doing is a 'SELECT cert WHERE name = foo',
doing it via an HTTP GET makes much more sense than rewriting it into an
LDAP query in the client, communicating it via an enormously complex and
heavyweight protocol to the server, having the server rewrite it back into 
its original form so it can do something useful with it, and then reversing 
the process to return the result.  Sure, you get to say "We're using LDAP",
but wouldn't it make more sense to cut out the middleman and do things
directly?

Peter.

<Prev in Thread] Current Thread [Next in Thread>