FYI

If there is no relationship between the CA or subject name in the PKC and
the DIT then how do you propose we search the Directory to validate
certificatePaths and CRLs ?  We have always assumed that upon being presented
with a subject PKC (from a mailer) that we could search the Directory to
to find all issuers and their CRLs.  If this functionality is not present
or is sufficiently complicated they you have lost one of your best "users".


Having attended (and spoken at) the NADF meeting that Marshall refers
to, let me add my observations.

mtr writes:

1. An entry having an objectClass attribute value of
   strongAuthenticationUser contains one or more userCertificate
   attribute values.  Each of these is a PKC.  However, there need be no
   relationship between the name of the entry holding a PKC and the
   subject or issuer fields of that PKC.   Similarly, the subject field of
   a PKC needn't correspond to an entry in the DIT.


Because entries in the DIT are based not only on Distinguished Name
information, but also (sometimes) on the provider and instance of the
listing, the relationship between a PKC DN and the DIT DN is cloudy at
best.  In addition, it should be possible for a DIT entry to contain
multiple PKCs with different DNs corresponding to different identities
(residential, orgPerson, role, etc.).  I think the only fair
assessment is that a relationship between PKC DNs and DIT entries
would be useful but is yet to be defined.

Last, the subject field of a PKC needn't correspond to an entry in the
DIT, otherwise a PEM certificate could not be issued until the
corresponding DIT entry was made.

2. The issuer (CA) field of a PKC needn't correspond to a entry in the
   DIT.  However, this may be useful as that entry might contain an
   objectClass attribute value of certificationAuthority, which indicates
   that the CA's entry contains information such as a PKC revocation
   list.


I think Marshall's observation here is accurate.  Again, there is not
a requirement (currently) to list an issuer's DN in the DIT before
making it a CA. It would, however, be useful if the issuer's DN could
eventually be used as a lookup mechanism to find the corresponding
entry with higher-level PKCs and CRLs.

-Steve Dusse

<Prev in Thread]	Current Thread	[Next in Thread>
FYI, Marshall Rose Re: FYI, John Lowry Re: FYI, Stephen D Crocker Typo..., Stephen D Crocker Re: FYI, Bob Smart FYI, Steve Dusse <= Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry FYI, Steve Dusse Re: Re: FYI, jueneman%wotan Re: Re: FYI, John Lowry Re: Re: Re: FYI, jueneman%wotan

Previous by Date:	Re: FYI, John Lowry
Next by Date:	Re: FYI, Mr Rhys Weatherley
Previous by Thread:	Re: FYI, Bob Smart
Next by Thread:	Re: FYI, John Lowry
Indexes:	[Date] [Thread] [Top] [All Lists]