Re: Assertion values and ;binary

[mcs@netscape.com (Mark C Smith)]

Volpers, Helmut wrote:
>

> 7.	Recommendation
>
> We could as a recommendation say what I tried to explain in section 6.
>
> -	The presence of the ;binary option always mean that the attribute
> value is BER-encoded
> -	The absence of the; binary option cannot be handled the same way for
> all attributes
> ·	For attributes for which an LDAP Syntax /Native syntax is defined,
> the absence of ;binary has the consequence that the encoding of the value is
> the LDAP string encoding.
>
> ·	For attributes, which have no LDAP Syntax/Native syntax, the absence
> of the ;binary option shall be ignored. The encoding of  the value shall
> always be the BER/DER encoding.


The recommendation in the last paragraph is not fully backwards 
compatible. Once again, section 6.5 of RFC 2252 ("Certificate") says:

   ... values in this syntax MUST only be transferred using the
   binary encoding ...

(sorry; I can't read it any other way). Because of 2252, today we have 
LDAP clients that always include ;binary (and they will continue to work 
if we adopt your recommendation). But we also have compliant LDAPv3 
servers that will not accept or recognize attribute descriptions such as 
"userCertificate" (because the ;binary, which is mandated by 2252, is 
missing). I believe that by adopting your proposal we will create a 
situation where clients that comply with this new proposal fail to 
interoperate with a server that complies with RFC 2252. Of course the 
servers will be updated in due time, but there will be some confusion in 
the meantime.

-Mark Smith
 Netscape