RL 'Bob' Morgan wrote: > > Upon further discussion, the situation is stated like this. Some > organizations have large deployments using traditional X.500 civil naming > (o=Example Corp, c=nu). They also have issued X.509 certificates using > those names. They are as aware as anyone of the absence of a worldwide > X.500 directory, and would like to take advantage of clients that can use > SRV records to locate LDAP servers given a DN (eg, the DN of a cert > issuer). Adding directory contexts with DCs in them in lower levels of > their existing hierarchy they see as much easier and less disruptive than > establishing an entirely new naming hierarchy (while acknowledging that > DNs have to change in either case). Now I dont see how this will work. If the CA already has an X.521 name form with lots (thousands possibly) of issued certificates, how will it help those thousands of certificates to create a new name with DCs at the bottom of it. The certificates have not changed, so wont know about this new DC extended name. You obviously are not suggesting re-issuing the certificates, otherwise a simple transition to pure DC based naming could be done at the same time. So could you please explain how this DC extended name is going to help? If I were to solve this problem I would create a CA name based on DC naming and put this in all new certificates, still using X521 naming for everything else. Then the certificate user can look up the LDAP server of the CA, using the mechanism proposed in the current ID. Eventually everyone would migrate to this new scheme. But it would not solve the problem for existing users. Were you aware that an ID was presented to the PKIX group in Pittsburg (authors were Sharon Boeyen of Entrust and someone else I believe) who were also trying to solve this problem. There solution if I remember correctly (unfortunately I cannot find a copy of their ID) was to use the email address of the user, which is often stored in the certificate, to find the LDAP server via SRV records. Since the Email address is already a DNS name, no DC mapping is needed. The disadvantage comes for users whose email addresses are not provided by the same organisation as the CA (e.g. a hotmail address in a certificate issued by Verisign). David > And based on this they ask what the > technical justification is for using the mapping specified in > ldapext-locate versus a looser mapping that would let them (as they see > it) transition more easily. If the justification is "purity", or > attitudes of how naming hierarchies should be designed in practice, then > the assertion is that design of naming hierarchies should be left to > deployers. > > > then I think the draft as it stands is just fine. An organisation using > > X.521 naming e.g. o=university of salford, c=gb, can still use the ID as > > it stands by creating a DC based alias entry for its organisation in its > > LDAP directory e.g. dc=salford, dc=ac, dc=uk and pointing this to its > > X.521 based organisation entry. The client can then use SRV records to > > find the TCP/IP address of the LDAP server and send a search request > > looking for david chadwick in the dc based organisation. The server will > > simply dereference the alias, map the dc organisation alias into the > > X.521 organisation and continue the search from there. > > Hmm. Do existing LDAP servers uniformly support this? (not that it > answers the question on the table ...) > > - RL "Bob" -- ***************************************************************** David Chadwick, BSc PhD Post: IS Institute, University of Salford, Salford M5 4WT Tel: +44 161 295 5351 Fax +44 161 745 8169 Mobile: +44 790 167 0359 Email: D.W.Chadwick@salford.ac.uk Home Page: http://www.salford.ac.uk/its024/chadwick.htm Research Projects: http://sec.isi.salford.ac.uk Understanding X.500: http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string: MLJ9-DU5T-HV8J *****************************************************************
begin:vcard n:Chadwick;David tel;fax:+44 1484 532930 tel;home:+44 790 167 0359 tel;work:+44 161 295 5351 x-mozilla-html:FALSE adr:;;;;;; version:2.1 email;internet:d.w.chadwick@salford.ac.uk x-mozilla-cpt:;-16144 fn:David Chadwick end:vcard
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature