Re: FYI

/mtr writes:

There are two results which follow from this schism:

 1. An entry having an objectClass attribute value of
    strongAuthenticationUser contains one or more userCertificate
    attribute values.  Each of these is a PKC.  However, there need be no
    relationship between the name of the entry holding a PKC and the
    subject or issuer fields of that PKC.   Similarly, the subject field of
    a PKC needn't correspond to an entry in the DIT.

 2. The issuer (CA) field of a PKC needn't correspond to a entry in the
    DIT.  However, this may be useful as that entry might contain an
    objectClass attribute value of certificationAuthority, which indicates
    that the CA's entry contains information such as a PKC revocation
    list.

If there is no relationship between the CA or subject name in the PKC and
the DIT then how do you propose we search the Directory to validate
certificatePaths and CRLs ?  We have always assumed that upon being presented
with a subject PKC (from a mailer) that we could search the Directory to
to find all issuers and their CRLs.  If this functionality is not present
or is sufficiently complicated they you have lost one of your best "users".


John Lowry

<Prev in Thread]	Current Thread	[Next in Thread>
FYI, Marshall Rose Re: FYI, John Lowry <= Re: FYI, Stephen D Crocker Typo..., Stephen D Crocker Re: FYI, Bob Smart FYI, Steve Dusse Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry FYI, Steve Dusse

Previous by Date:	Ladder DES, Terry Ritter
Next by Date:	Re: FYI, Stephen D Crocker
Previous by Thread:	FYI, Marshall Rose
Next by Thread:	Re: FYI, Stephen D Crocker
Indexes:	[Date] [Thread] [Top] [All Lists]