FW: new version of draft on additional x509 certificate schema fo r LDAP
Euchner Martin ICN M SR 3
Martin.Euchner at ICN.SIEMENS.DE
Wed Nov 6 05:11:39 EST 2002
The following ID (and some referenced LDAP schemata IDs inside) may be
related to the work of directory services architecture.
I should note that I've not deeply looked into the document yet, but perhaps
the H.LDAP experts may want to share an opinion?
With kind regards
Martin Euchner.
-----------------------------------------------------------------------
| Dipl.-Inf. Rapporteur Q.G/SG16
| Martin Euchner Phone: +49 89 722 55790
| Siemens AG.....................Fax : +49 89 722 62366
| ICN M SR 3 mailto:Martin.Euchner at icn.siemens.de
| mailto:martin.euchner at ties.itu.int
| Hofmannstr. 51 Intranet:
http://intranet.icn.siemens.de/marketing/cs27/topics/security/
| D-81359 Muenchen Internet: http://www.siemens.de/
| __________________
| Germany
-----------------------------------------------------------------------
-----Original Message-----
From: Peter Gietz [mailto:Peter.Gietz at daasi.de]
Sent: Tuesday, November 05, 2002 2:12 PM
To: Ietf-Pkix
Subject: new version of draft on additional x509 certificate schema
for LDAP
Hello all,
There is a new version of "An LDAPv3 Schema for X.509 certificates",
which I sent to the Internet Drafts Editor.
You can find the document at
http://www.directory.dfn.de/docs/draft-klasen-ldap-x509certificate-schema-01
.txt
The changes to version 00 are noted in Apendix C.
You might remember my short presentation of the initial version at the
pkix meeting at IETF 53.
There are still some questions to handel:
- Is it possible to get a short time-slot at thje Atlanta meeting for
presenting the changes of this new version?
- Can and should this draft be work of the pkix group and should the
discussion about it be held on this list instead of in private email
communications?
- The draft introduces new naming attributes that should be included
into David's Draft "LDAPv3 DN strings for use with PKIs"
<draft-ietf-pkix-dnstrings-00.txt>. Besides x509issuer and
x509serialNumber the allready widely used attribute emailaddress (email)
should be taken into account.
- The draft does not yet address the problem that there are "LDAPish"
implementations that are not able to support multi-valueelds RDNs
(e.g. x509serialNumber=1234+x509issuer=<dn of a CA>).
Shall this be addressed by including a third name form with yet
another naming attribute x509issuerSerial?
- The draft does only describe fields described in RFC 3280. Should it
also deal with Qualified certificates (RFC 3039)?
- Should it also take into account things like userGroupName
(draft-ietf-pkix-usergroup-01)
- Should it also take into account things like Permanent Identifier
(draft-ietf-pkix-pi-05.txt and draft-chadwick-pkix-pidn-00.txt)?
I wanted to get some feedback on these questions before including
respective language into the draft.
Two more questions:
- should revocation information be stored in a similiar fashion. And if
so how: 1.) Metadata attributes for CRLs or 2.) revocation relevant
attributes attached to the certificate entries.
- should attribute certificates be stored in a similiar fashion?
I would love to receive comments on all this from this group.
Cheers,
Peter
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 2970336
Wilhelmstr. 106 Fax: +49 7071 295114
D-72074 Tübingen email: peter.gietz at daasi.de
Germany Web: www.daasi.de
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For help on this mail list, send "HELP ITU-SG16" in a message to
listserv at lists.intel.com
More information about the sg16-avd
mailing list