[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP server location and DN->DNS mapping




RL 'Bob' Morgan wrote:
> 
> Upon further discussion, the situation is stated like this.  Some
> organizations have large deployments using traditional X.500 civil naming
> (o=Example Corp, c=nu).  They also have issued X.509 certificates using
> those names.  They are as aware as anyone of the absence of a worldwide
> X.500 directory, and would like to take advantage of clients that can use
> SRV records to locate LDAP servers given a DN (eg, the DN of a cert
> issuer).  Adding directory contexts with DCs in them in lower levels of
> their existing hierarchy they see as much easier and less disruptive than
> establishing an entirely new naming hierarchy (while acknowledging that
> DNs have to change in either case).

Now I dont see how this will work. If the CA already has an X.521 name
form with lots (thousands possibly) of issued certificates, how will it
help those thousands of certificates to create a new name with DCs at
the bottom of it. The certificates have not changed, so wont know about
this new DC extended name. You obviously are not suggesting re-issuing
the certificates, otherwise a simple transition to pure DC based naming
could be done at the same time.

So could you please explain how this DC extended name is going to help?

If I were to solve this problem I would create a CA name based on DC 
naming and put this in all new certificates, still using X521 naming for
everything else. Then the certificate user can look up the LDAP server
of the CA, using the mechanism proposed in the current ID. Eventually
everyone would migrate to this new scheme. But it would not solve the
problem for existing users.

Were you aware that an ID was presented to the PKIX group in Pittsburg
(authors were Sharon Boeyen of Entrust and someone else I believe) who
were also trying to solve this problem. There solution if I remember
correctly (unfortunately I cannot find a copy of their ID) was to use
the email address of the user, which is often stored in the certificate,
to find the LDAP server via SRV records. Since the Email address is
already a DNS name, no DC mapping is needed. The disadvantage comes for
users whose email addresses are not provided by the same organisation as
the CA (e.g. a hotmail address in a certificate issued by Verisign).



David
>  And based on this they ask what the
> technical justification is for using the mapping specified in
> ldapext-locate versus a looser mapping that would let them (as they see
> it) transition more easily.  If the justification is "purity", or
> attitudes of how naming hierarchies should be designed in practice, then
> the assertion is that design of naming hierarchies should be left to
> deployers.
> 
> > then I think the draft as it stands is just fine. An organisation using
> > X.521 naming e.g. o=university of salford, c=gb, can still use the ID as
> > it stands by creating a DC based alias entry for its organisation in its
> > LDAP directory e.g. dc=salford, dc=ac, dc=uk and pointing this to its
> > X.521 based organisation entry. The client can then use SRV records to
> > find the TCP/IP address of the LDAP server and send a search request
> > looking for david chadwick in the dc based organisation. The server will
> > simply dereference the alias, map the dc organisation alias into the
> > X.521 organisation and continue the search from there.
> 
> Hmm.  Do existing LDAP servers uniformly support this?  (not that it
> answers the question on the table ...)
> 
>  - RL "Bob"

-- 
*****************************************************************

David Chadwick, BSc PhD
Post: IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 161 745 8169
Mobile: +44 790 167 0359
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J

*****************************************************************
begin:vcard 
n:Chadwick;David
tel;fax:+44 1484 532930
tel;home:+44 790 167 0359
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
x-mozilla-cpt:;-16144
fn:David Chadwick
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature