Re: Private email re LDAP and ;binary

[mcs@netscape.com (Mark C Smith)]

David Chadwick wrote:

>

> > The only argument for insisting on the mandatory ";binary" is the
> > possibility that the old RFC 1778 string formats will be presented in
> > a response. However, those old RFC 1778 syntaxes were updated by RFC
> > 2559.
>
> Yes, I guess you are correct. The ;binary was really a hack job to cater
> for the broken string encoding of certificates. I dont really see why we
> need to use it now, if the PKIX document states specifically what the
> LDAP transfer syntax is, we should just be able to just simply ask for
> certificates (without ;binary) and get BER back. Since BER is the only
> recognised syntax in the latest specification.


Do you care about backwards compatibility? Any change to the on-the-wire 
protocol for retrieving certificates over LDAPv3 makes me nervous. The 
entire installed base of LDAPv3 servers and clients uses an 
AttributeDescription of userCertificate;binary, as mandated by RFC 2252. 
Now you are suggesting that we change all clients and servers to use 
userCertificate. What value does such a change really have? Why propose 
such a change when it will very likely break some existing implementations?

-Mark Smith
 Netscape