[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Certificate transfer syntax



At 03:27 PM 2002-04-05, Christopher Oliva wrote:
>I don't believe there is agreement on your supposition that the 3 cases you have outlined are non conformant. 

Well, I rather not rehash the whole discussion, but I believe
each actually is.

>Here are some observations on the three cases: 
>
>a) and b) 
>RFC 2252 clause 6.5 only mandates a binary encoding.
>As previously pointed out by others, there is no absolute imperative that requires the use of the ";binary" option.

How else would you indicate that the "binary" encoding was
requested/used instead of the "string" encoding?


>The part referring to the userCertificiate;binary and caCertificate;binary are merely examples of how one could generate the binary encoding.
>If one were to include the use of the attribute descriptions as part of the absolute imperative, this would make it impossible to construct legal add and modify messages since this clause only allows the requesting and returning of attributes.

So, trimming the imperative down to its essence:
   Values in this syntax MUST only be transferred using the
   binary encoding.

RFC 2251 says:
   If the "binary" option is present in an AttributeDescription, it
   overrides any string-based encoding representation defined for that
   attribute in [5]. Instead the attribute is to be transferred as a
   binary value encoded using the Basic Encoding Rules [11]. 

That is, if ;binary is not present, the string-based ("native")
encoding is used.

>I'm sure you are referring to the "MUST NOT expect" clause of RFC 2251 
>clause 4.1.5.1.

No, I'm referring to the technical specification as a whole.
In particular the first paragraph of RFC 2251, 4.1.5.1 and
RFC 2252, 4.3.

>c) 
>Nowhere in the ldapv3 RFCs is there a description of the behavior for this case. There is no justification to label this as non conformant.

You are right in that the RFC does not explicit state this.

But it should be obvious that "CN;binary" should not be
returned unless "CN;binary" was requested.  Same goes
for userCertificate.