Re: WG Last Call: Certificate Schema
Kurt D. Zeilenga <Kurt <at> OpenLDAP.org>
2004-12-01 16:57:57 GMT
At 05:20 AM 12/1/2004, Peter Gietz wrote:
>some more remarks from my side.
>Kurt D. Zeilenga wrote:
>>While there may have been some in this WG that viewed the
>>value extraction approach as a pragmatic solution to various
>>specific issues, I believe there are also many, like myself,
>>who have never considered the value extraction approach, in
>>general, to be practical. And, as I noted in my previous
>>response, I do not consider the value extraction approach
>>as applied here to certificates and such to be pragmatic
>>as it simply does not address requirements I am faced with.
>One requirement addressed by value extraction is to return to the client only the certificate the client needs.
Which certificate is that? Maybe what the client wants is all certificates of
the person which holds a certificate whose subject DN contains a CN of X.
This highlights one of the problems with this approach. It seems to be designed
with a specific subset of PKI applications in mind. The solution, IMO, is not as
broadly applicable as its being made out to be.
>This requirement is not addressed by Component Matching. Only in combination with the return value
filter (RFC 3876), which defines an LDAP control that again has to be supported by Clients and Servers,