IETF Logo Mail Archive

RE: Basic Cert-2-Directory mapping question

"Slone, Skip" <skip.slone@lmco.com> Thu, 11 January 2001 18:03 UTC

Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11238 for <pkix-archive@odin.ietf.org>; Thu, 11 Jan 2001 13:03:37 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA13834; Thu, 11 Jan 2001 09:57:40 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 11 Jan 2001 09:57:36 -0800
Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA13804 for <ietf-pkix@imc.org>; Thu, 11 Jan 2001 09:57:35 -0800 (PST)
Received: from emss03g01.ems.lmco.com (emss03g01.ems.lmco.com [141.240.4.144]) by mailgw2a.lmco.com (8.8.8/8.8.8) with ESMTP id NAA11607; Thu, 11 Jan 2001 13:02:43 -0500 (EST)
Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-32 #38888) id <0G7000M01FEXBK@lmco.com>; Thu, 11 Jan 2001 13:01:48 -0500 (EST)
Received: from emss03i00.ems.lmco.com ([141.240.31.211]) by lmco.com (PMDF V5.2-32 #38888) with ESMTP id <0G70000WAFEJ5F@lmco.com>; Thu, 11 Jan 2001 13:01:31 -0500 (EST)
Received: by emss03i00.orl.lmco.com with Internet Mail Service (5.5.2650.21) id <CKL19L31>; Thu, 11 Jan 2001 13:02:39 -0500
Content-return: allowed
Date: Thu, 11 Jan 2001 13:02:39 -0500
From: "Slone, Skip" <skip.slone@lmco.com>
Subject: RE: Basic Cert-2-Directory mapping question
To: 'Robert Klerer' <klerer@xhair.com>, ietf-pkix@imc.org
Message-id: <B23207A86E7BD411A7000008C7E6693C77F8E8@emss03m03.orl.lmco.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-type: text/plain; charset="ISO-8859-1"
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA13805
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
X-MIME-Autoconverted: from 8bit to quoted-printable by ns.secondary.com id JAA13834
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id NAA11238

One example is to find associated attribute certs.  See the following sample
paragraph taken from
ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-06.txt:

   In other cases, it is more suitable for a client simply to
   authenticate to the server and for the server to request or "pull"
   the client's AC from an AC issuer or a repository. <<<<------- !!

 -- Skip

-----Original Message-----
From: Robert Klerer [mailto:klerer@xhair.com]
Sent: Thursday, January 11, 2001 12:12 PM
To: ietf-pkix@imc.org
Subject: RE: Basic Cert-2-Directory mapping question



Please excuse my ignorance, but if I have the certificate why would I need a
repository where the certificate is stored? I need CRLs, but there is an
extension for that and has little to do with the subject DN in EE cert.  The
only use I have for a repository is to find certificates if I know an EE's
name -- which brings up the real problem of mapping an EE name to a DN.  The
"other attributes" is meaningless in this discussion since they would be
unsigned and I would have an apriori trust of the repository, thus I know
where to go beforehand.

From: Slone, Skip [mailto:skip.slone@lmco.com]

Here's a use case that fits my scenario:

An RP needs to find a directory entry corresponding to a given certificate,
where:
 - the certificate subject name uses civil-style naming,
 - the RP's known directories have no knowledge (direct or indirect), and
 - the subject's domain name is not known and cannot be derived.

With today's tools, this use case fails:
 - LDAPv3 referrals fail due to the lack of knowledge,
 - PKIXREP fails due to the lack of a domain name.

Am I overlooking some tool that can do the job?

 -- Skip

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com]
Sent: Thursday, January 11, 2001 10:31 AM
To: ietf-pkix@imc.org
Subject: Re: Basic Cert-2-Directory mapping question


"Slone, Skip" wrote:
>
> If LDAPv3 referrals were sufficient, we wouldn't be having this
> conversation.

Who said that LDAPv3 referrals are the overall solution without
prior configuration?

> LDAPv3 referrals WILL work in the following two cases:
>
> 1) where my server's administrator already knows how to
> find the target name
> space, or
> 2) where my server and the server holding the target name space
> participate in some fully-connected DIT
> [..]

Yes.

> What I'm discussing is a way to fill in the gap where (1) my server does
not
> already know how to find a certain name space, and (2) there's a knowledge
> disconnect between my server and the server holding the target. In this
> case, LDAPv3 referrals WILL NOT work.

Yes.

And RFC2377 does not work without SRV RRs. Yes. And I can't access
http://www.ietf.org without somebody having added the entry
www.ietf.org to DNS. Yes.  And... Yes.

No doubt, if you do not know any service access point or you don't
have any rule how to derive the service access point from an
information at hand you can't access the service. Yes.

Now about which *use-case* are we talking here?

Ciao, Michael.

v2.23.0 | Report a Bug | By Email