Comment on Direct_Certificate_Discovery_Background in direct-certificate-discovery-tool
1 view
Skip to first unread message
direct-certifica...@googlecode.com
Dec 19, 2012, 3:58:40 AM12/19/12
to modular-sp...@googlegroups.com
Comment by pbspamfi...@gmail.com:
A few pragmatic notes, or maybe I'm reading this wrong. It's a nice
document.
1.If you already know the location of the LDAP server which you need to
query, you can skip the discovery step of using the DNS SRV record which is
a global discovery method (when you don't where the X.500/LDAP server is
located).
This was a minor error that crept in at some point in the specifications
handoff between S&I Provider Directory to Direct for the Applicability
statement. One can always query a known X.500/LDAP server directly with no
dependency on DNS if you know that's where the target certificates are
actually located. This might be within ones own enterprise for example.
Once one then connects to that server one can use ldapsearch commands to
locate the record of interest at the desired depth of search. This is
based on the "Law of Demeter" http://en.wikipedia.org/wiki/Law_of_Demeter
concept
2. I'm confused what the "private key" icon does to explain help the
concept. The directory only holds public key certificates so this is
confusing in matching concepts.
A. The certificate is valid because it was bound to the entry which is
authoritative (which would be true in DNS or X.500/LDAP) which is a claim
B. The certificate is valid because it has not expired (for example not
revoked)
C. The certificate is valid because it chains up to the trust bundle, or a
known intermediate or root. (Path Validation of signatures)
D. The certificate is valid because one can decrypt a message from the
address or domain entry in the subject alternative field (which seems to be
the purpose of the icon)
E. The certificate is valid because it has the right HASH value
For more information:
http://code.google.com/p/direct-certificate-discovery-tool/wiki/Direct_Certificate_Discovery_Background
A few pragmatic notes, or maybe I'm reading this wrong. It's a nice
document.
1.If you already know the location of the LDAP server which you need to
query, you can skip the discovery step of using the DNS SRV record which is
a global discovery method (when you don't where the X.500/LDAP server is
located).
This was a minor error that crept in at some point in the specifications
handoff between S&I Provider Directory to Direct for the Applicability
statement. One can always query a known X.500/LDAP server directly with no
dependency on DNS if you know that's where the target certificates are
actually located. This might be within ones own enterprise for example.
Once one then connects to that server one can use ldapsearch commands to
locate the record of interest at the desired depth of search. This is
based on the "Law of Demeter" http://en.wikipedia.org/wiki/Law_of_Demeter
concept
2. I'm confused what the "private key" icon does to explain help the
concept. The directory only holds public key certificates so this is
confusing in matching concepts.
A. The certificate is valid because it was bound to the entry which is
authoritative (which would be true in DNS or X.500/LDAP) which is a claim
B. The certificate is valid because it has not expired (for example not
revoked)
C. The certificate is valid because it chains up to the trust bundle, or a
known intermediate or root. (Path Validation of signatures)
D. The certificate is valid because one can decrypt a message from the
address or domain entry in the subject alternative field (which seems to be
the purpose of the icon)
E. The certificate is valid because it has the right HASH value
For more information:
http://code.google.com/p/direct-certificate-discovery-tool/wiki/Direct_Certificate_Discovery_Background
Reply all
Reply to author
Forward
0 new messages