Re: [ekmi] Groups - EKMI Implementation and Operations Guidelines(ODT)

[Tomas Gustavsson <tomas@primekey.se>]

Arshad Noor skrev:
> I don't see why SKMS cannot precede PKI in the Implementation Guide
> document; they will both be equivalent players in an EKMI, so discussing
> either first, would be appropriate.

I just though about the people that only have the energy to browse 
through the first part of the document :)

> WRT the directory, Tomas, most PKIs that I've been involved with in the
> past have required publishing certificates to Active Directory or some
> other form of LDAP - although the last 2 we deployed did not require
> that.  Technically, there is no requirement for it unless the business
> required it; but if the business did require it, it would be good to
> discuss it in the guidelines document.   Perhaps we should move it to
> an Appendix as an optional component of a PKI.  Any other thoughts on
> this from others?

My feeling is that we should limit the description to the EKMI domain. 
If it's not a requirement for EKMI it's out. If it's a technical 
requirement for some PKI implementation, then it should be regarded as 
an implementation issue. I don't see the EKMI ever making use of the 
directory as a directory service, does naybode else see that?

> P.S.  I need to study XKMS a little bit before I can say speak
> intelligently on the subject, since I have not delved into XKMS too
> deeply.  Other than the W3C site with the specification, are there
> any other documents/presentations that you'd recommend to us for
> our reading list?  Thanks Tomas.

No unforturnately not. I did not do the XKMS implementation in EJBCA 
myself, so I have only heard it from another source. He says that XKMS 
is used/suitable for client enrollment anyhow.

Cheers,
Tomas