Re: [pkix] purpose of LDAP in PKI
Joel Kazin <joel.kazin1@verizon.net> Mon, 18 February 2013 14:18 UTC
Return-Path: <joel.kazin1@verizon.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9FC21F88F0 for <pkix@ietfa.amsl.com>; Mon, 18 Feb 2013 06:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qfeJjOGLppUp for <pkix@ietfa.amsl.com>; Mon, 18 Feb 2013 06:18:54 -0800 (PST)
Received: from vms173003pub.verizon.net (vms173003pub.verizon.net [206.46.173.3]) by ietfa.amsl.com (Postfix) with ESMTP id 6168A21F87F9 for <pkix@ietf.org>; Mon, 18 Feb 2013 06:18:54 -0800 (PST)
Received: from [192.168.2.2] ([unknown] [96.239.23.68]) by vms173003.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0MIF007H96EL3S20@vms173003.mailsrvcs.net> for pkix@ietf.org; Mon, 18 Feb 2013 08:18:33 -0600 (CST)
Message-id: <5122382D.5090904@verizon.net>
Date: Mon, 18 Feb 2013 09:18:21 -0500
From: Joel Kazin <joel.kazin1@verizon.net>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-version: 1.0
To: pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C733340DA1B@uxcn10-2.UoA.auckland.ac.nz> <1361195591.51223247ad553@mail.inbox.lv> <1F94BBCDF9E6E7438147ABA3C338441A01594CEA16@MX32A.corp.emc.com>
In-reply-to: <1F94BBCDF9E6E7438147ABA3C338441A01594CEA16@MX32A.corp.emc.com>
Content-type: text/plain; charset="UTF-8"; format="flowed"
Content-transfer-encoding: 7bit
Subject: Re: [pkix] purpose of LDAP in PKI
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: joel.kazin1@verizon.net
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 14:18:55 -0000
When an enterprise is issuing certificates to its employees and contractors there can be a need to make the encryption certificate publicly available for traffic from external parties to individuals at that enterprise. Joel On 2/18/2013 9:08 AM, Goulet, Walter wrote: > Quoting Peter Gutmann <pgut001@cs.auckland.ac.nz>: > Andris Berzins <pkix@inbox.lv> writes: > >>>> What could be the reason why end user certificates should be stored in LDAP >>>> by the CA and made publicly available? >>> There isn't one. It's (ancient) historical baggage based on X.509's origins >>> in X.500, and some of the people writing the standards haven't realised yet >>> that HTTP won. > >> When I apply for ID-card having authentication and qualified signature certificate on it, >> I have to checkbox whether I want my certificates to be published in LDAP. >> I get no clear answer how could I benefit from my certificates being published. > In enterprise or other private PKI deployments publishing certificates to LDAP stores can be very useful for applications such as S/MIME where a sender's mail client can fetch a recipient's certificate from a centralized LDAP directory service. Basically, exposing your certificate via LDAP makes it *much* easier for other applications to actually use your certificate. > > The benefits of publishing your certificate publicly (i.e. over Internet accessible LDAP directory store) are less clear to me. > > > Peter. > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- [pkix] purpose of LDAP in PKI Andris Berzins
- [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Andris Berzins
- Re: [pkix] purpose of LDAP in PKI Denis Pinkas
- Re: [pkix] purpose of LDAP in PKI Bilal Ashraf
- Re: [pkix] purpose of LDAP in PKI Goulet, Walter
- Re: [pkix] purpose of LDAP in PKI Joel Kazin
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Erik Andersen
- Re: [pkix] purpose of LDAP in PKI Ferda Topcan
- Re: [pkix] purpose of LDAP in PKI Michael StJohns
- Re: [pkix] purpose of LDAP in PKI Piyush Jain
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Kemp, David P.
- Re: [pkix] purpose of LDAP in PKI Paul Hoffman
- Re: [pkix] purpose of LDAP in PKI Piyush Jain
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Sean Leonard
- Re: [pkix] purpose of LDAP in PKI Phillip Hallam-Baker
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Phillip Hallam-Baker
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Michael StJohns
- Re: [pkix] purpose of LDAP in PKI Miller, Timothy J.
- Re: [pkix] purpose of LDAP in PKI Kemp, David P.