[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Certificate transfer syntax

To: Mark C Smith <mcs@netscape.com>
Subject: Re: LDAP Certificate transfer syntax
From: David Chadwick <d.w.chadwick@salford.ac.uk>
Date: Wed, 03 Apr 2002 18:45:10 +0100
Cc: LDAP BIS <ietf-ldapbis@OpenLDAP.org>, PKIX <ietf-pkix@imc.org>
Organization: University of Salford
References: <3CA860A2.20AB0F9C@salford.ac.uk> <3CAB2AF1.3080408@netscape.com>

Mark

We are not dropping the ;binary option, you can still use it, but its
functionality is redundant as the "native" LDAP encoding is BER.

To put the other view, I have heard that some other LDAPv3 directories
are unable to accept the ;binary option anyway. So what I am now arguing
for is leniency on the part of servers, that they neither demand nor
reject the use of ;binary, but just ignore it if it is there.

David


Mark C Smith wrote:
> 
> I am still concerned about how dropping the ;binary transfer option that
> was mandated by RFC 2252 will affect the large installed base of LDAPv3
> and PKI implementations (of course some PKI clients are already trying
> to use userCertificate without ;binary with LDAPv3 implementations, and
> not surprisingly there are having a difficult time).
> 
> But if consensus is to proceed with this proposal, then I think the
> conflict with RFC 2252 should be noted in the PKIX document (there is a
> lot of history behind all of this, and implementors and users who do not
> know all of it will undoubtedly be confused).
> 
> -Mark Smith
>   Netscape
> 
> David Chadwick wrote:
> > Colleagues
> >
> > Here is my proposed change to the section describing the LDAP syntax for
> > cerificates in the PKIX id
> > <draft-pkix-ldap-schema-03.txt> which should be published before the end
> > of April. As this is likely to be the most contentious part of the new
> > ID, I thought it would be useful to distribute this text at the earlier
> > possible moment.
> >
> > All constructive comments welcomed
> >
> > David
> >
> >
> > 3.3  Certificate Syntax
> >
> > A value in this transfer syntax is the binary octet string that results
> > from BER or DER-encoding of an X.509 public key certificate.  The
> > following string states the OID assigned to this syntax:
> >
> >       ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )
> >
> > Servers must preserve values in this syntax exactly as given when
> > storing and retrieving them.
> >
> > Note. Due to the changes from X.509(1988) to X.509(1993) and subsequent
> > changes to the ASN.1 definition to support certificate extensions in
> > X.509(1997), no character string transfer syntax is defined for
> > certificates. The BNF notation in RFC 1778 [12] for "User Certificate"
> > MUST NOT be used. Values in this syntax MUST be transferred as BER or
> > DER encoded octets. The use of the ;binary encoding option, i.e. by
> > requesting or returning the attributes with descriptions
> > "userCertificate;binary" or "caCertificate;binary" has no effect on the
> > transfer syntax.

-- 
*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 161 745 8169
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500:  http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard

References:
- LDAP Certificate transfer syntax
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: LDAP Certificate transfer syntax
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: LDAP Certificate transfer syntax
Next by Date: Re: LDAP Certificate transfer syntax
Index(es):
- Chronological
- Thread