As Ron points out, the syntax for "userCertificate" is "Certificate" - end of story.
This is one of the reasons why the ";binary" attribute option was developed - so that a userCertificate could be stored into the directory and retrieved "intact" so that it could be put to use in PKI-based applications.
I was trying to summarize what the discussion from the LDAPbis work group came to with respect to the "Binary" and "octetString" syntaxes. The consensus was that to get "bytes in == bytes out" (where "bytes" are not necessarily a BER-encoded stream of bytes), use the "octet string" syntax.
(Presumably it means that certificates would be stored with certificate
syntax and recognised by the server as a special case. For other values, if
there is a need to store them exactly as they were added, define their
syntax to be octet string. -Ron)
From: Volpers, Helmut [mailto:firstname.lastname@example.org]
Sent: Thursday, 13 December 2001 21:30
To: 'Timothy Hahn'; ietf-ldapbis@OpenLDAP.org
Subject: RE: storing certificates "as is"
What does this mean ? Does it mean you want to give a Certificate
OctetString Syntax ?
Does it mean you have not to check the syntax and don't need special
matching rules ?
What will be the equality matching rule, the issuer name and the serial
number or the complete
octet string ?
From: Timothy Hahn [mailto:email@example.com]
Sent: Donnerstag, 13. Dezember 2001 01:54
Subject: Re: storing certificates "as is"
Actually, for many syntaxes that have been defined, I believe that the
statement is more along the lines that the server MUST return an
"equivalent" value, but it need not be the exact same stream of bytes.
Based on the discussion during the workgroup today, it sounded to me as
though the "octet string" syntax was what SHOULD be used if the desired
behavior is "bytes in == bytes out".
David Chadwick <firstname.lastname@example.org>
Sent by: owner-ietf-ldapbis@OpenLDAP.org
12/12/2001 05:26 PM
Subject: storing certificates "as is"
Does anyone know where there is text that states that a server must
return exactly the same information (attribute value) that was presented
to it, either always or when the ;binary encoding is used. This is
obviously essential for all signed values eg certificates, CRLs etc.
Before I add this text into every schema definition for signed objects,
it would be nice to know that a LDAPv3 bis document already contained
text along these lines as a general statement, rather than making it
specific to signed attribute values
David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351 Fax +44 161 745 8169
Mobile: +44 77 96 44 7184
Home Page: http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500: http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5