[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5695) AC syntax in OpenLDAP
Other comments:
- you seem to have hijacked the OIDs for the AttributeCertificate and
attributeCertificateExactAssertion syntaxes. I'll generate two under
the OpenLDAP experimental arc, unless anyone can point me to any
officially assigned. I don't think so, as the only document I could
locate on the topic is a draft expired in 2001
(draft-ietf-pkix-ldap-schema), with no OID assigned by IANA.
- as far as I can understand, the attributeCertificateExactAssertion
allows more options; a fairly generic case would be
{ serialNumber 'dd'H,
issuer { issuerName { directoryName:rdnSequence:"cn=y" }, -- optional
baseCertificateID { serial '1d'H,
issuer { directoryName:rdnSequence:"cn=z" },
issuerUID "<value>" -- optional
}, -- optional
objectDigestInfo { ... } -- optional
}
}
while your implementation requires
{ serialNumber 'dd'H,
issuer {
baseCertificateID {
serial '1d'H,
issuer { directoryName:rdnSequence:"cn=z" }
}
}
}
nothing more and nothing less. If I'm correct, your implementation
would pose some interoperability issues; yet, it represents a good
starting point, given the absence of any standard track specification of
PMI.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------