Re: Re: FYI

Bob,
        
        I was the software lead and designer for a version of MSP/X.400
        containing an integrated UA/DUA, MTA/DUA, and standalone DUA to support
        wherever possible the EXCLUSIVE use of DNs for secure messaging.
        Every user has at least two certificates along with CRLs and ancillary 
        data which      is stored in a B1 multi-level secure Directory and 
locally in 
        per-user cache.  The mail system encourages user specified aliases for 
DNs.  

        The UI is entirely X11R4/Motif.  The standalone DUA allows the user to
        access the directory (using strong authentication) and to
        fetch and validate, in real time, the certificate hierarchy of
        potential mail recipients.  The validated information can be stored
        (and revalidated) in a local cache which constitutes a speed-up and
        frees the user from occasions when the Directory may be unreachable.

        If the user chooses to specify a DN and that DN is not in the local
        cache (or the local information in the cache is expired) the system
        _automatically_ performs a Directory search, validates the certificates
        and updates the cache.  X.400 ORAddresses are also stored in this cache
        to save the MTA's processing time.

        The MTA uses any X.400 addresses in the envelope and if DNs are present
        it performs its own address lookups using its builtin DUA.

        This system is REAL and currently deployed in testbeds across the 
country.

        I will make a statement based on EXPERIENCE:
                It is more difficult to manage a certificate hierarchy and to
                present a meaningful, attractive, easy to use, fast, and 
scalable
                system and UI without a Directory than by any other means
                discussed in this forum so far.  (2/23/94)

        Therefore, I have good reason to state that ASN.1 is not too difficult.
        Nor are DNs too difficult to be presented meaningfully.  Nor is it 
        too difficult to allow the user to specify aliases for frequent 
correspondents
        even to allow the user to specify an rfc-822 address as the alias.

        In short, this is hard but not impossible.  Even I managed to do it :-)

        As for other implementations and toolkits:

        Try fetching secuDE based on ISODE if you want a toolkit ...  It is
        free and publically available.

        There is an ID which lists Directory implementations, last updated
        in October 1993.

John Lowry

<Prev in Thread]	Current Thread	[Next in Thread>
Typo..., (continued) Typo..., Stephen D Crocker Re: FYI, Bob Smart FYI, Steve Dusse Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry Re: FYI, Mr Rhys Weatherley Re: FYI, John Lowry FYI, Steve Dusse Re: Re: FYI, jueneman%wotan Re: Re: FYI, John Lowry <= Re: Re: Re: FYI, jueneman%wotan

Previous by Date:	Re: New directions (was: Re; FYI), Mark S Feldman
Next by Date:	Re: PEM and the NADF (Was: FYI), John Lowry
Previous by Thread:	Re: Re: FYI, jueneman%wotan
Next by Thread:	Re: Re: Re: FYI, jueneman%wotan
Indexes:	[Date] [Thread] [Top] [All Lists]