[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Certificate transfer syntax (draft-ietf-pkix-ldap-v3-05.txt)



      Harald:

      While there is obviously nothing wrong with putting certificates in a
directory entry other than that of the subject (cross-certificates are
recommended to go into the issuer's directory entry as well as the
subject's for example), should certificates be stored in the
userCertificate attribute of any entry other than the subject's?  That's a
much more dubious thing to do.  Shouldn't a different attribute be defined
for such a purpose?

            Tom Gindin


Harald Koch <chk@pobox.com>@mail.imc.org on 04/03/2002 12:08:14 AM

Sent by:    owner-ietf-pkix@mail.imc.org


To:    LDAP BIS <ietf-ldapbis@OpenLDAP.org>, PKIX <ietf-pkix@imc.org>
cc:
Subject:    Re: LDAP Certificate transfer syntax
       (draft-ietf-pkix-ldap-v3-05.txt)



Of all the gin joints in all the towns in all the world, Ken Stillson
had to walk into mine and say:
>
>   "A PKI object should be placed into a LDAP directory such that the LDAP
>    object DN matches the subject DN of the object."

It's supposed to be the other way around, isn't it? One should issue
certificates with a subject DN that matches the LDAP object DN.

Anyway, there are many environments where a certificate issued by one
organisation must be stored in a directory belonging to another. I don't
believe that an arbitrary restriction like this won't fly.

--
Harald Koch     <chk@pobox.com>