Certificate+Discovery+for+Direct+Project+2011-08-29


 * Meeting Date**: 08/29/2011
 * Meeting Title:** PD Certificate Discovery for Direct Project SWG Meeting Session 12

Agenda/Objectives:

 * **Topic** || **Presenter** ||= **Time Allotted** ||
 * Implementation Guidelines for publishing and discovering LDAP services using DNS SRV record || John Moehrke || 50 min ||
 * Post Meeting Reviews || Support Team ||= 10 min ||

Attendees:
__Workgroup Attendees:__ To be updated

__Panelist Attendees:__ Erik Pupo, Jonathan Tadese, Kelly Conlin

**A****ction Items:**
“Yes with comments” were provided by Brett Peterson and McLain Causey ||
 * **Date** || **Description** || **Owner** || **Status** || **Notes** ||
 * 8/15/2011 || Implementation guidelines for publishing and discovering LDAP services using the DNS SRV record || John Moehrke || OPEN || Refer to Volunteer Recommendation Review Wiki Page ||
 * 8/1/2011 || Develop Recommendation Statement for DNS/ LDAP Hybrid Approach || Bob Dieterle || CLOSED || Refer to Volunteer Recommendation Review Wiki Page ||
 * 7/25/11 || Develop LDAP guidance || Erik, Bob, John, Peter, Les, Ken, Alex, and any other interested SWG members || CLOSED ||  ||
 * 7/18/11 || Present revisions made to the Use Case to address “No” and “Yes with comments” votes from Committed Members || Use Case Support Leads || CLOSED || “No” votes were provided by Les Keepper and Ernest Grove.

__**Meeting Minutes:**__
Different parameters on an SRV record that give a guidance on which one is to be used (weight and/ or priority); if one fails, simply choose another one.


 * __Section 2 Review:__**


 * Establish explanation of how to deal with multiple results.**
 * Add comment on discovering the Base DN and preventing recursion.**

Establishing language needed to say the query is a full query across the whole directory:
 * Is there a standard base DN where the cert should start?
 * IGPWP Profile: Discover the Base DN through a null query. When doing an LDAP query on null, LDAP returns back to you a list of base DNs. That list is used as a base DN for further queries.
 * If this is the case, could certs end up being recursive?
 * Unsure of how recursive certs can be prevented.
 * Base DN parameter must be met.
 * Danger of getting into bad search performance if certs are recursive.
 * In IHE, a well known CN type was defined to indicate a person/ object.
 * Where can we get this information from?
 * IHE solution: there will be a fixed entry in the directory tree where the personnel information is. A fixed entry would have a fixed common name.
 * Are there LDAP experts who can speak to this?
 * John can reach out to LDAP experts for this information.
 * Direct Project RI uses all certificates that are found; this may change as policy statements come forth. CRL and OCSP are both used depending on configurations.

Opportunity to think through how this implementation can be crafted to be used in the future.

Idea of an organization SMIME certificate is an oxymoron; a schema may have to be invented. Should we invent a schema if there is an organization schema that has an SMIME cert in it?
 * __Section 3 Review:__**

Propose we continue to use iNET org person with a male attribute simply equal to the domain.

Discussion regarding consensus: after these next steps have been completed and all text in the Volunteer Review Page has been changed to green, we should be good to move to a formal consensus process.
 * Verbal consensus for information to be completed before next week:
 * Silence is consensus; fine to move forward towards consensus.