FW: new version of draft on additional x509 certificate schema fo r LDAP

Euchner Martin ICN M SR 3 Martin.Euchner at ICN.SIEMENS.DE
Wed Nov 6 05:11:39 EST 2002

The following ID (and some referenced LDAP schemata IDs inside) may be
related to the work of directory services architecture.

I should note that I've not deeply looked into the document yet, but perhaps
the H.LDAP experts may want to share an opinion?

With kind regards

Martin Euchner.
| Dipl.-Inf.                     Rapporteur Q.G/SG16
| Martin Euchner                 Phone: +49 89 722 55790
| Siemens AG.....................Fax  : +49 89 722 62366
| ICN M SR 3                     mailto:Martin.Euchner at icn.siemens.de
|                                mailto:martin.euchner at ties.itu.int
| Hofmannstr. 51                 Intranet:
| D-81359 Muenchen               Internet: http://www.siemens.de/
| __________________
| Germany     

 -----Original Message-----
From:   Peter Gietz [mailto:Peter.Gietz at daasi.de] 
Sent:   Tuesday, November 05, 2002 2:12 PM
To:     Ietf-Pkix
Subject:        new version of draft on additional x509 certificate schema
for LDAP

Hello all,

There is a new version of  "An LDAPv3 Schema for X.509 certificates", 
which I sent to the Internet Drafts Editor.

You can find the document at 

The changes to version 00 are noted in Apendix C.
You might remember my short presentation of the initial version at the 
pkix meeting at IETF 53.

There are still some questions to handel:

- Is it possible to get a short time-slot at thje Atlanta meeting for 
presenting the changes of this new version?

- Can and should this draft be work of the pkix group and should the 
discussion about it be held on this list instead of in private email
- The draft introduces new naming attributes that should be included 
into David's Draft "LDAPv3 DN strings for use with PKIs"
  <draft-ietf-pkix-dnstrings-00.txt>. Besides x509issuer and 
x509serialNumber the allready widely used attribute emailaddress (email)
  should be taken into account.
- The draft does not yet address the problem that there are "LDAPish" 
implementations that are not able to support multi-valueelds RDNs
 (e.g.  x509serialNumber=1234+x509issuer=<dn of a CA>).
  Shall this be addressed by including a third name form with yet 
another naming attribute x509issuerSerial?
- The draft does only describe fields described in RFC 3280. Should it 
also deal with Qualified certificates (RFC 3039)?
- Should it also take into account things like userGroupName 
- Should it also take into account things like Permanent Identifier 
(draft-ietf-pkix-pi-05.txt and draft-chadwick-pkix-pidn-00.txt)?

I wanted to get some feedback on these questions before including 
respective language into the draft.

Two more questions:

- should revocation information be stored in a similiar fashion. And if 
so how: 1.) Metadata attributes for CRLs or 2.) revocation relevant 
attributes attached to the certificate entries.
- should attribute certificates be stored in a similiar fashion?

I would love to receive comments on all this from this group.



Peter Gietz (CEO)
DAASI International GmbH                phone: +49 7071 2970336
Wilhelmstr. 106                         Fax:   +49 7071 295114  
D-72074 Tübingen                        email: peter.gietz at daasi.de
Germany                                 Web:   www.daasi.de

Directory Applications for Advanced Security and Information Management

For help on this mail list, send "HELP ITU-SG16" in a message to
listserv at lists.intel.com

More information about the sg16-avd mailing list