OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: The case against X.500 directories

From the IETF-PKIX list:

I would like to add a few things to what Phillip Hallam-Baker of
VeriSign wrote about directories as an obstacle to PKI deployment.

Many  PKI experts are involved in huge public-sector-driven projects,
that are based on establishing directory interoperability between
organizations.  At first sight this looks like a great idea but digging
a bit further, you soon note that this is not a universal solution but
rather a dead end.

Directory problem issues 
1. Technical.  Unifying schemas + firewall issues
2. Internal information  (including employment) is generally not public
3. The level of openness depends on who is asking
4. Directories represent just one way to organize data

But, there is no reason to despair, as there are work-arounds that
properly address all these issues:

Using authentication systems like OASIS' SAML, organizations can
(through their employees), authenticate to each others' intranets and
through this get access to exactly the information they should have
and in a format that make sense.  The latter may be a directory tree,
a PDF-file, a database listing, an HTML form, etc.  

Unlike directory systems, SAML allows secure access to any kind
of active or passive information source, including purchasing and
work-flow systems.

All using the truly universal Internet browser interface.

For machine-to-machine (=automated) access to external information,
specialized Web Services seems to be a much more extensible route
than directories, as the former introduces no restrictions on data.

Anders Rundgren
Independent consultant PKI and secure e-business

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]