The following ID (and some referenced LDAP schemata IDs inside) may be related to the work of directory services architecture.
I should note that I've not deeply looked into the document yet, but perhaps the H.LDAP experts may want to share an opinion?
With kind regards
Martin Euchner. ----------------------------------------------------------------------- | Dipl.-Inf. Rapporteur Q.G/SG16 | Martin Euchner Phone: +49 89 722 55790 | Siemens AG.....................Fax : +49 89 722 62366 | ICN M SR 3 mailto:Martin.Euchner@icn.siemens.de | mailto:martin.euchner@ties.itu.int | Hofmannstr. 51 Intranet: http://intranet.icn.siemens.de/marketing/cs27/topics/security/ | D-81359 Muenchen Internet: http://www.siemens.de/ | __________________ | Germany -----------------------------------------------------------------------
-----Original Message----- From: Peter Gietz [mailto:Peter.Gietz@daasi.de] Sent: Tuesday, November 05, 2002 2:12 PM To: Ietf-Pkix Subject: new version of draft on additional x509 certificate schema for LDAP
Hello all,
There is a new version of "An LDAPv3 Schema for X.509 certificates", which I sent to the Internet Drafts Editor.
You can find the document at http://www.directory.dfn.de/docs/draft-klasen-ldap-x509certificate-schema-01 .txt
The changes to version 00 are noted in Apendix C. You might remember my short presentation of the initial version at the pkix meeting at IETF 53.
There are still some questions to handel:
- Is it possible to get a short time-slot at thje Atlanta meeting for presenting the changes of this new version?
- Can and should this draft be work of the pkix group and should the discussion about it be held on this list instead of in private email communications? - The draft introduces new naming attributes that should be included into David's Draft "LDAPv3 DN strings for use with PKIs" <draft-ietf-pkix-dnstrings-00.txt>. Besides x509issuer and x509serialNumber the allready widely used attribute emailaddress (email) should be taken into account. - The draft does not yet address the problem that there are "LDAPish" implementations that are not able to support multi-valueelds RDNs (e.g. x509serialNumber=1234+x509issuer=<dn of a CA>). Shall this be addressed by including a third name form with yet another naming attribute x509issuerSerial? - The draft does only describe fields described in RFC 3280. Should it also deal with Qualified certificates (RFC 3039)? - Should it also take into account things like userGroupName (draft-ietf-pkix-usergroup-01) - Should it also take into account things like Permanent Identifier (draft-ietf-pkix-pi-05.txt and draft-chadwick-pkix-pidn-00.txt)?
I wanted to get some feedback on these questions before including respective language into the draft.
Two more questions:
- should revocation information be stored in a similiar fashion. And if so how: 1.) Metadata attributes for CRLs or 2.) revocation relevant attributes attached to the certificate entries. - should attribute certificates be stored in a similiar fashion?
I would love to receive comments on all this from this group.
Cheers,
Peter