[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Certificate transfer syntax



This text does not clearly "MUST" the use of ;binary as
RFC 2252 and RFC 2256 did.  As previously noted, this
"MUST" should not be dropped as doing so will cause
interoperability problems between implementations of
the current technical specification and the revised
technical specification.

Kurt

At 05:29 AM 2002-04-01, David Chadwick wrote:
>Colleagues
>
>Here is my proposed change to the section describing the LDAP syntax for
>cerificates in the PKIX id
><draft-pkix-ldap-schema-03.txt> which should be published before the end
>of April. As this is likely to be the most contentious part of the new
>ID, I thought it would be useful to distribute this text at the earlier
>possible moment.
>
>All constructive comments welcomed
>
>David
>
>
>3.3  Certificate Syntax
>
>A value in this transfer syntax is the binary octet string that results
>from BER or DER-encoding of an X.509 public key certificate.  The
>following string states the OID assigned to this syntax:
>
>      ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )
>
>Servers must preserve values in this syntax exactly as given when
>storing and retrieving them. 
>
>Note. Due to the changes from X.509(1988) to X.509(1993) and subsequent
>changes to the ASN.1 definition to support certificate extensions in
>X.509(1997), no character string transfer syntax is defined for
>certificates. The BNF notation in RFC 1778 [12] for "User Certificate"
>MUST NOT be used. Values in this syntax MUST be transferred as BER or
>DER encoded octets. The use of the ;binary encoding option, i.e. by
>requesting or returning the attributes with descriptions
>"userCertificate;binary" or "caCertificate;binary" has no effect on the
>transfer syntax.