I don't see why SKMS cannot precede PKI in the Implementation Guide
document; they will both be equivalent players in an EKMI, so discussing
either first, would be appropriate.
I just though about the people that only have the energy to browse
through the first part of the document :)
WRT the directory, Tomas, most PKIs that I've been involved with in the
past have required publishing certificates to Active Directory or some
other form of LDAP - although the last 2 we deployed did not require
that. Technically, there is no requirement for it unless the business
required it; but if the business did require it, it would be good to
discuss it in the guidelines document. Perhaps we should move it to
an Appendix as an optional component of a PKI. Any other thoughts on
this from others?
My feeling is that we should limit the description to the EKMI domain.
If it's not a requirement for EKMI it's out. If it's a technical
requirement for some PKI implementation, then it should be regarded as
an implementation issue. I don't see the EKMI ever making use of the
directory as a directory service, does naybode else see that?
P.S. I need to study XKMS a little bit before I can say speak
intelligently on the subject, since I have not delved into XKMS too
deeply. Other than the W3C site with the specification, are there
any other documents/presentations that you'd recommend to us for
our reading list? Thanks Tomas.
No unforturnately not. I did not do the XKMS implementation in EJBCA
myself, so I have only heard it from another source. He says that XKMS
is used/suitable for client enrollment anyhow.