[Date Prev][Date Next] [Chronological] [Thread] [Top]

Certificate list validation



I'm playing with certification authorities and so, and I came across
certificate lists.  Currently, the certificate list syntax
1.3.6.1.4.1.1466.115.121.1.9 is validated by sequenceValidate, which
simply checks if the value starts with a LBER_SEQUENCE tag.  After
reading related RFCs and X.509 I understood that a certificate list is
always supposed to be a complete structure, respectful of X.509 7.3.

I stumbled on this problem because I have to implement an architecture
based on strongAuthenticationUser and certificationAuthority (I know
they're deprecated in favor of pkiUser and pkiCA, but this is not an
option right now, unfortunately), where the latter requires
authorityRevocationList and certificateRevocationList.

When the lists are empty, common practice allowed to use an arbitrary
dummy value, while OpenLDAP requires at least ":: MAAAAA==" (i.e.
LBER_SEQUENCE in base64) to fool sequenceValidate().

I'd like to know:

- is my understanding of X.509 correct? (certificate lists need to be
complete as per X.509 7.3, with no revokedCertificates)

- is there any other common practice to deal with empty
authorityRevocationList/certificateRevocationList?

- would a certificateListValidate() that complies with X.509 7.3 be
helpful/welcome in 2.4?

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------