[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
- From: hyc@symas.com
- Date: Mon, 1 Feb 2010 00:58:43 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Erwann Abalea wrote:
> Hodie III Kal. Feb. MMX, Howard Chu scripsit:
(Sorry, just had to laugh, using a ~3000 year old language in email...)
>> erwann.abalea@keynectis.com wrote:
>> Also note that, technically, LDAP is defined to conform to the 1993
>> edition of the X.500 specs, and X.509(1993) makes no such allowance
>> here.
>
> I didn't know that LDAP was designed to conform to a specific edition
> of the standard. Isn't that strange? After all, it should also refuse
> to handle X.509v2 CRLs, and X.509v3 certificates, which appear for the
> first time in the 1997 edition.
> Anyway, I hadn't thought about looking at older revisions of the X.509
> standard. You're right, my 1997 edition doesn't say anything about
> this, and my 2000 edition (a french version) has the same text as the
> 2005 one.
See RFC4510, section 2. Yes, it's certainly an inconsistency in the LDAP spec,
that RFC4513 requires use of subjectAltNames which clearly require X.509v3
certs but the only normative references to the necessary edition of X.509 is
outside the core specification. (Looking again I see that RFC4523 references
X.509(2000) so it appears that some portions of newer X.500 editions are being
incorporated, piecemeal...)
> Anyway, thank you again. I'll test the head version and will come back
> later.
> BTW, what do you mean by "needs some thought" (in the ticket notes)?
I hadn't decided yet if slapd should log a warning for this or not.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/