Re: storing certificates "as is"

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:26 PM 2001-12-12, David Chadwick wrote:
>Does anyone know where there is text that states that a server must
>return exactly the same information (attribute value) that was presented
>to it, either always or when the ;binary encoding is used.

To the best of my knowledge, there is no mandate that servers
preserve values nor their representations.  The technical
specification hints at a few cases (including ;binary) where
the representation may not be preserved and at least one case
(directoryString) where the values may not be preserved.

>This is obviously essential for all signed values eg certificates, CRLs etc.

One would think that value preservation would be essential for
many applications, and, for some applications (e.g., signed data),
the preservation of the representation is as well.  It would be
quite appropriate for applications needing preservation of values
or preservation of representation of values to state so in
applicability statement.  They likely should do on a per syntax basis.

That is, an LDAP applicability statement for PKI applications should
state that servers shall preserve values and preserve representation
of values for select syntaxes (certificates, CRLs, etc.).

>Before I add this text into every schema definition for signed objects,
>it would be nice to know that a LDAPv3 bis document already contained
>text along these lines as a general statement, rather than making it specific to signed attribute values

It doesn't.  This lack of a mandate should be discussed in the
technical specification.

Kurt