[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt
David,
RE: Bruce's suggestion.
This requires using his version of the family of entries. If you do, and you
accept the maintenance issue of keeping all attribute values in sync, there
is no reason why it can't work.
However, I seem to sense some opposition to the concept and this is where we
have a real problem. If an entry holds two certificates, there is no way of
setting other attributes in the entry so that each of their values are
associated with the appropriate certificate. I think the matching rule
approach is the only solution. You may be able to have 'magic' attributes
that have order-dependent values, but this is in conflict with the X.500
standard. One may always, of course, pregenerate the values of magic and
invisible attributes that are only accessed with the application of specific
matching rules.
Ron.
-----Original Message-----
From: David Chadwick [mailto:d.w.chadwick@salford.ac.uk]
Sent: Friday, 14 July 2000 0:03
To: Sean Mullan; ietf-pkix@imc.org; ietf-ldapext@netscape.com
Cc: Boeyen@entrust.com
Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt
Date sent: Wed, 12 Jul 2000 19:31:31 +0100
From: Sean Mullan <sean.mullan@sun.com>
To: d.w.chadwick@salford.ac.uk
Copies to: ietf-pkix@imc.org, ietf-ldapext@netscape.com
Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt
> Hi David,
>
> Some comments on the draft below.
Sean, replies intersperced below
> Section 3.2 Certificate Match
>
> I think the X.509 certificate matching rules are missing some
> essential and important fields in the certificateAssertion structure
> for filtering on certificates. We may want to consider defining a
> superset. I submitted these comments to the X.509 editors but
> apparently it was too late to integrate them into the 2000 update.
>
> * you should be able to match on more than one pathToName and on
> non-X500
> name types. This is inconsistent with name constraints which allow
> you to constrain to more than one name and different name types.
>
I agree that alternative name types should be allowed. But maybe it
is not necessary to have multiple names, since you can do several
Searches providing one name for each search (remember that the
name presented should be allowed to have a cert path created to it)
How do we want to handle this:
i) issue a defect on X.509 (Sharon can you comment on this)
ii) let the LDAP matching rule be a superset of the X.509 one?
I would favour the former route myself.
> * you should be able to match on more than the subject alt name
> type.
Agreed. This is a lack of clarity in the ID. It is intended that the
whole name can be presented along with the type. The text is
ambiguous in this respect and I will fix it. It will also be clearer when
version 1 is published that contains BNF for each of the fields.
Steven Legg has been doing this for me.
> You
> should also be able to match on the subject alt name itself, and
> specify more than one subject alt name as certificates can contain
> more than one.
>
Concerning multiple names, I think this can be solved by performing
multiple searches with a single name in each search.
> * you should be able to match on the subject public key as well as
> the subject public
> key algorithm OID.
>
you can match on the subject key identifier (3rd component)
> * you should be able to match on the basic constraints extension,
> especially the
> maxPathLen value. This is useful for finding potential
> certificates when building certification paths from the target to
> the most-trusted CA. For ex, if a partial path has been built, any
> candidate certificate must have a maxPathLen value greater than or
> equal to the number of certificates in the partial path.
>
Interestingly this has been defined for attribute certificates and not
pk certs. I actually think that the way matching for ACs has been
handled is far superior than for PKcerts. ie. a separate matching
rule for each extension, rather than one long complex rule for pk
certs. However, there would be nothing to stop an implementation
dynamically attaching the basicAttConstraintsMatch to public key certs. In
fact this matching rule could be renamed the basicConstraintsMatch
anyway as the syntax is the same for both ACs and PKCs. This is
my preferred approach.
> I think it is very important to include the Certificate pair matching
> rules, as these are very useful when building certification paths and
> trying to discover which of many cross certificates satisfy various
> validation constraints, and eliminating those that do not.
>
OK, this can be done. It is just time consuming and I wanted to
know if there was a demand first.
> Other comments:
>
> * What RFC format are you using for the encoding of DNs - 1779? This
> should be referenced.
It should be 2253 for LDAPv3.
>
> Section 4.2 Certificate List Match
>
> There is an error in the CertificateListAssertion definition in X.509
> 2000. The authorityKeyIdentifier component should be marked OPTIONAL.
> This probably doesn't affect your definition, but I just wanted to
> make you aware of it.
Agreed, Sharon, can you make a note of this defect
David
p.s. what do you think about Bruce's assertion that none of this is
needed and instead we should have a bunch of simple attributes in
the LDAP entry
David
>
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************