[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: updated Signed Directory Operations Draft <draft-ietf-ldapext -sigops-02.txt>

To: d.w.chadwick@iti.salford.ac.uk, ietf-ldapext@netscape.com
Subject: RE: updated Signed Directory Operations Draft <draft-ietf-ldapext -sigops-02.txt>
From: Bruce Greenblatt <Bgreenblatt@rsa.com>
Date: Mon, 31 Aug 1998 10:47:01 -0700
Resent-date: Mon, 31 Aug 1998 10:45:35 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ims2g1.0.EJ6.r4kwr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

David,

Thanks for the suggestion.  Your ASN.1 construct is MUCH better than mine.
I'll update the draft.

Bruce

> -----Original Message-----
> From:	David Chadwick [SMTP:d.w.chadwick@iti.salford.ac.uk]
> Sent:	Monday, August 31, 1998 1:27 AM
> To:	Bruce Greenblatt; ietf-ldapext@netscape.com
> Subject:	Re: updated Signed Directory Operations Draft
> <draft-ietf-ldapext-sig	ops-02.txt>
> 
> > 
> >      SignedOperation ::= CHOICE {
> >           signbyServer   [0] BOOLEAN,
> >           signatureIncluded   [1] OCTET STRING
> >      }
> > 
> > 
> >      If the SignatureIncluded CHOICE is used, then the OCTET string is
> > just an S/MIME message of the multipart/signed variety, that is composed
> > of a single piece, that is the signature of the directory operation.
> > Multipart/signed MIME objects are defined in [3].  If the SignbyServer
> > CHOICE us used, then the LDAP server creates the signature on behalf of
> 
> Bruce,
> 
> the ASN.1 construct for Signed Operation seems awkward to me. In a choice,
> 
> either parameter can be chosen, and the chosen one then takes the 
> appropriate values for that parameter. In your construct you effectively
> have 3 
> outcomes
> 
> i) signed by server TRUE
> ii) signed by server FALSE
> iii) signature included, an OCTET STRING.
> 
> I dont think this is what you intended, and your descriptive text
> certainly only 
> caters for two options, i) and iii) above, and not for ii).
> 
> May I suggest the following alternative ASN.1 constructs for you to
> consider
> 
>       SignedOperation ::= SEQUENCE {
>          signbyServer    BOOLEAN DEFAULT FALSE,
>          signatureIncluded   OCTET STRING OPTIONAL  --only present if
> 
>                                                           -- signByServer
> is FALSE
>          }
> 
> With this construct, values would either consist of
> i) a TRUE value, or
> ii) an OCTET STRING
> 
> which I think is what you wanted.
> 
> Note that the tags are not needed because the two types are different and 
> cannot be confused by the recipient.
> 
> 
> David
> 
> ***************************************************
> 
> David Chadwick
> IT Institute, University of Salford, Salford M5 4WT
> Tel +44 161 295 5351  Fax +44 161 745 8169
> Mobile +44 370 957 287
> Email D.W.Chadwick@iti.salford.ac.uk
> Home Page  http://www.salford.ac.uk/its024/chadwick.htm
> Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> 
> ***************************************************

Follow-Ups:
- Re: updated Signed Directory Operations Draft <draft-ietf-ldapext
  - From: Steven Legg <s.legg@trl.telstra.com.au>

Prev by Date: Re: updated Signed Directory Operations Draft <draft-ietf-ldapext-sig ops-02.txt>
Next by Date: base referrals issue/idea?
Index(es):
- Chronological
- Thread