LDAP+and+DNS+Hybrid+Group+Recommendation

//Note: consensus is for direction stated in this document. A final form of the harmonization and use case will be incorporated in the forthcoming implementation guide.//
 * __ Proposed Harmonization Statement for Query for Digital Certificate Use Case for Direct Project __ **

Group Recommendation
This group recommends the following "hybrid approach" for a generic solution to “Query for Digital Certificate Use Case for Direct Project”
 * 1) DNS is used as the backbone for Direct Project certificate discovery due to its availability, centralized roots and replication capability
 * 2) LDAP based repositories of Direct Project digital certificates will be supported by:
 * creating DNS SRV records for their specific domain(s)
 * support anonymous bind
 * support a query and response for the Direct Project digital certificate(s) using a Direct Project address.
 * 1) The process for discovery should be:
 * Query DNS for the Digital Certificate using the current reference implementation process, if not found progress to the LDAP query
 * LDAP Query
 * Query DNS for a SRV record for an LDAP service
 * If SRV record found, query the LDAP service using an anonymous bind for the Digital Certificate

**Rationale**
 * This mechanism ensures ultimate discoverability based on the strength of DNS.
 * This mechanism provides a minimum interchange for the requesting system in the event that DNS is able to provide the certificate. In addition, this mechanism ensures broad, unrestricted, accessibility to LDAP repositories of certificates.
 * Neither method alone can ensure ultimate discoverability and ultimate accessibility as they exist today. This is the basis and rationale for the hybrid approach from this work group

This recommendation will be referred to as the "hybrid digital certificate discovery approach".

As part of the environmental scan, the S&I Harmonization effort for the “Query for Digital Certificate Use Case for Direct Project” believes that there are strengths and weaknesses in both the DNS and LDAP methods of certificate discovery. The following enumerates only strengths, weaknesses, facts and assumptions relevant to this use case:

Strength & Weakness of DNS and of LDAP

 * DNS has the advantage of global availability, centralized root servers controlled by ICANN with a governance structure for domain names but is not a general purpose directory.
 * DNS is currently implemented and providing Digital Certificate discovery for a number of Direct pilots at a limited scale.
 * DNS has a disadvantage that a significant number of DNS servers currently do not support the CERT record and therefore cannot participate as repositories for Digital Certificates for Direct Addresses.
 * DNS requires the requester to switch from UDP to TCP protocol and repeat the query if the response packet is over 512 bytes as is frequently the case with Digital Certificates.
 * DNS and associated technologies may still be unable to handle larger DNS response packets succesfully.
 * DNS implementations widely support the SRV record to identify internet accessible services.
 * LDAP has the advantage of broad implementation and support in the healthcare community and significant use for the establishment and deployment of electronic directories for providers inside many organizations.
 * LDAP/x.500 has demonstrated capacity to deliver x509v3 Certificates, including federal programs (See references below).
 * LDAP/x.500 has demonstrated the capability to support federation or other distributed access (See references below).
 * It is anticipated that many large healthcare organizations will store their Direct Project Digital Certificates in LDAP based directories for internal use.
 * Off the shelf email applications natively support LDAP for retrieval of certificates.

**The Direct Project reference implementations currently have the capability to support**

 * 1) DNS for public key discovery
 * 2) LDAP for public key discovery
 * 3) The JAVA code provides for more than one discovery method with a flexible hierarchy of method selection

**Work effort needed for The Direct Project reference implementation to support the hybrid model**
**General Approach**


 * 1) Write implementation guidelines for publishing and discovering Digital Certificates using anonymous LDAP query discovered using the DNS SRV record.  Please click here to access guideline development workspace.
 * 2) Update JAVA RI code to add a new Resolver for discovering Digital Certificates using anonymous LDAP query discovered using DNS SRV record for a given domain. (estimate 2 weeks including testing)
 * 3) Update .NET RI code to add a chain of responsibility design pattern and a new Resolver for discovering Digital Certificates using anonymous LDAP bind discovered using DNS SRV record for a given domain.
 * 4) Test in pilot and evaluate

**Risks**

 * There are no identified risks with the discovery of public digital certificates as defined in this use case.
 * There are risks associated with the issuance of and use of public digital certificates that must be addressed, see Applicability Statement for Secure Health Transport of the Direct Project.

**LDAP/X.500 References**

 * LDAP/X.500 global structure for Internet Directory Services was originally piloted by the National Science Foundation in 1993 as the [|Internic Directory Services] Grant 93-52. from ITU and IETF standards.

**Federated delivery of X.509V3 certificates for identity management as evidenced by**

 * LDAP/X.500 used during Internic pilot for global distribution of X.509v3 certificates by Entrust and Sandia Labs.
 * LDAP/X.500 continued to be used by The Energy Labs federated certificates via the Energy Grid as part of Federal system.
 * LDAP/X.500 is widely used as a source of data for [|Internet2]federations which also extend to incorporate other technologies such as SAML via [|Shibboleth].
 * LDAP/X.500 can be used as a source for [|other IDM technologies being developed in the cloud]as well as other [|IDM Directory providers via HTTP.]