Re: [pkix] purpose of LDAP in PKI
"Piyush Jain" <piyush@ditenity.com> Mon, 18 February 2013 18:07 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB24021F86A3 for <pkix@ietfa.amsl.com>; Mon, 18 Feb 2013 10:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0zFQxmZd4Un for <pkix@ietfa.amsl.com>; Mon, 18 Feb 2013 10:07:59 -0800 (PST)
Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by ietfa.amsl.com (Postfix) with ESMTP id 8710021F853E for <pkix@ietf.org>; Mon, 18 Feb 2013 10:07:54 -0800 (PST)
Received: by mail-gh0-f182.google.com with SMTP id z15so622827ghb.27 for <pkix@ietf.org>; Mon, 18 Feb 2013 10:07:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language :x-gm-message-state; bh=ukifLp/ILRH/dBjFEPhT3YerMRDDR+EaZGP737oGTPo=; b=DfnJ/JkMG9sRbEbqgeGn5kd2KTq9DTEm1X8REJOihqcKe0TE1T6IIJXY+dKMBQAtaD LcRFa9KJ+CYKu9BYwXkvrWg2TwmAhF514tAhTshSwTi1znXotMTKZ/oDAIMlpswhvxEM l8vmJvo5Dhv2AZ5RtwIag7J6b/R5gU53ZMv2JgjXb32P6gtYr6YP2ZmdATfpCsvPLNe9 I9ngUdlHFEfzgeBGV6G6fJymTaotMtbvjMZfpiC9MlP8ra+1M3fnkcisjH1MN0VOGBpb Nt71oiT5j3P8D2+bxOv9UDzWAF2ID50Yh8TIbMJ/XNfs4FdIrE3uqgbHeY+CA2zMcxuq VEqg==
X-Received: by 10.236.180.42 with SMTP id i30mr21918838yhm.68.1361210873963; Mon, 18 Feb 2013 10:07:53 -0800 (PST)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id i24sm63763855ann.16.2013.02.18.10.07.52 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 18 Feb 2013 10:07:53 -0800 (PST)
From: Piyush Jain <piyush@ditenity.com>
To: 'Andris Berzins' <pkix@inbox.lv>, pkix@ietf.org
References: <1361191787.5122236bed12c@mail.inbox.lv>
In-Reply-To: <1361191787.5122236bed12c@mail.inbox.lv>
Date: Mon, 18 Feb 2013 10:07:46 -0800
Message-ID: <026b01ce0e02$dc1fd440$945f7cc0$@ditenity.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_026C_01CE0DBF.CE040E50"
X-Mailer: Microsoft Outlook 14.0
thread-index: AQEicwPZT3fKZDi3TxWvDDx1D/SpDpnXGv3w
Content-Language: en-us
X-Gm-Message-State: ALoCoQk48heIB3sR/FlogaFJ+DaNXzSeRGvs+OenQDc09JjpbdTOFyyAzbRkKQV1DoWQ/5nzPh6/
Subject: Re: [pkix] purpose of LDAP in PKI
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 18:08:00 -0000
Why make user certificate publicly available? - Others can look you up and encrypt stuff that the send you without asking you for your certificate. Why Not? - Loss of privacy Why use ldap? - Historical reasons. - Standard schema/attributes exist to store such information Why not? - Scalability issues, complicated setup, difficult to find LDAP experts, subtle differences/idiosyncrasies of ldap implementations make interoperability difficult. Why use http? - Everyone knows http J, scalable Why not? - Standards to store/search for certificates/CRLs in HTTP stores are relatively new and implementations are limited. This is changing though and many big PKI implementations use HTTP to store CA certificates and CRLs. Have not seen any stores http backend that stores user certificates and provides API to search for such certificates. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Andris Berzins Sent: Monday, February 18, 2013 4:50 AM To: pkix@ietf.org Subject: [pkix] purpose of LDAP in PKI Hello, What could be the reason why end user certificates should be stored in LDAP by the CA and made publicly available? (I might understand the reason for storing CRLs (LDAP as an alternative to HTTP).)
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- [pkix] purpose of LDAP in PKI Andris Berzins
- [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Andris Berzins
- Re: [pkix] purpose of LDAP in PKI Denis Pinkas
- Re: [pkix] purpose of LDAP in PKI Bilal Ashraf
- Re: [pkix] purpose of LDAP in PKI Goulet, Walter
- Re: [pkix] purpose of LDAP in PKI Joel Kazin
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Erik Andersen
- Re: [pkix] purpose of LDAP in PKI Ferda Topcan
- Re: [pkix] purpose of LDAP in PKI Michael StJohns
- Re: [pkix] purpose of LDAP in PKI Piyush Jain
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Kemp, David P.
- Re: [pkix] purpose of LDAP in PKI Paul Hoffman
- Re: [pkix] purpose of LDAP in PKI Piyush Jain
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Sean Leonard
- Re: [pkix] purpose of LDAP in PKI Phillip Hallam-Baker
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Phillip Hallam-Baker
- Re: [pkix] purpose of LDAP in PKI Peter Gutmann
- Re: [pkix] purpose of LDAP in PKI Michael StJohns
- Re: [pkix] purpose of LDAP in PKI Miller, Timothy J.
- Re: [pkix] purpose of LDAP in PKI Kemp, David P.