[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Certificate transfer syntax



David:

Is it possible to preserve the DER encoding. If not, then the DER encoding must be restored in order to validate the signature? This just seems like wasted processing to me.

Russ


At 02:29 PM 4/1/2002 +0100, David Chadwick wrote:
Colleagues

Here is my proposed change to the section describing the LDAP syntax for
cerificates in the PKIX id
<draft-pkix-ldap-schema-03.txt> which should be published before the end
of April. As this is likely to be the most contentious part of the new
ID, I thought it would be useful to distribute this text at the earlier
possible moment.

All constructive comments welcomed

David


3.3 Certificate Syntax

A value in this transfer syntax is the binary octet string that results
from BER or DER-encoding of an X.509 public key certificate.  The
following string states the OID assigned to this syntax:

      ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )

Servers must preserve values in this syntax exactly as given when
storing and retrieving them.

Note. Due to the changes from X.509(1988) to X.509(1993) and subsequent
changes to the ASN.1 definition to support certificate extensions in
X.509(1997), no character string transfer syntax is defined for
certificates. The BNF notation in RFC 1778 [12] for "User Certificate"
MUST NOT be used. Values in this syntax MUST be transferred as BER or
DER encoded octets. The use of the ;binary encoding option, i.e. by
requesting or returning the attributes with descriptions
"userCertificate;binary" or "caCertificate;binary" has no effect on the
transfer syntax.