[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Private email re LDAP and ;binary

To: Mark C Smith <mcs@netscape.com>
Subject: Re: Private email re LDAP and ;binary
From: David Chadwick <d.w.chadwick@salford.ac.uk>
Date: Tue, 19 Feb 2002 21:06:21 +0000
Cc: Christopher Oliva <Chris.Oliva@entrust.com>, Sharon Boeyen <sharon.boeyen@entrust.com>, LDAP BIS <ietf-ldapbis@OpenLDAP.org>
Organization: University of Salford
References: <BFB44293CE13C9419B7AFE7CBC35B9390120D69D@sottmxs08.entrust.com> <3C728DFA.4819D0DC@salford.ac.uk> <3C729994.7030409@netscape.com>

Mark C Smith wrote:

> Do you care about backwards compatibility? 

Yes. We must be backwards compatible with LDAPv3 as a minimum. But note
that up until now, LDAPv3 has not defined matching rules for any X.509
stuff, nor the syntax for many of the X.509 data structures. SO the PKIX
document is the first one in which syntaxes have been specified for
everything in X.509. Thus my point is, once syntaxes are specified and
known about, then the attributes and assertion values can be carried in
their known-about syntaxes, without any special instructions (such as
;binary) being needed. ;binary becomes an anachronism from the past and
can quietly die.
But it will be needed during a period of migration for those LDAPv3
servers that DONT know the
syntaxes of the X.509 stuff so that they will still be able to transfer
it correctly.
Therefore we should allow for both now, with the intention of phasing
out ;binary in the next version (or when it goes to full standard, say).

Thus my suggestion is that if ;binary is not used, the client and the
server must know what they are dealing with, and what its syntax is.
Values are carried in BER format. However, if ;binary is used, those
products that understand the syntax simply ignore the ;binary, those
that dont know the syntax, know they have to transfer the data as BER
encoded octets.

>Any change to the on-the-wire
> protocol for retrieving certificates over LDAPv3 makes me nervous. The
> entire installed base of LDAPv3 servers and clients uses an
> AttributeDescription of userCertificate;binary, as mandated by RFC 2252.

I agree, they do (or should do!!)

But note that the entire installed base of LDAPv2 clients and servers
(if there are many left) dont use ;binary and can still transfer X.509
stuff successfully. So ;binary is not essential for certificates to
work.

> Now you are suggesting that we change all clients and servers to use
> userCertificate.

No, not at all. Here's how it would work in practice

                  V3 Server              Older V3 Server
                  Understands            Does not understand

Client sends         OK                  Error
userCertificate                  

Client sends
userCert;binary     OK                  OK

So we have a problem with older LDAPv3 servers who dont know much about
the
syntax of the X.509 stuff they are storing, just that it should be sent
and received in BER format using ;binary. (they wont know how to match
on values either). Clearly if a client tries to add a certificate to one
of these servers without using ;binary, (this could be a v3 client
evolved from a v2 one for example) the server should reject it. Thats
OK. If another client uses ;binary the certificate can be stored, but if
the original client then tries to retrieve it, it will fail. So the rule
for clients is, to be on the safe side in the short to medium term, use
;binary.

My question to the server guys is "once you understand the syntax of
X.509 attributes and assertion values, why do you want ;binary to be
there?" You probably dont, so will be glad to see it go.

My question to v2 client migrators is "what is the big deal in adding
;binary to the X.509 attribute requests, since you will have to be
making other changes anyway when you migrate to v3"

> What value does such a change really have? Why propose
> such a change when it will very likely break some existing implementations?
> 

I guess in short, it tidies things up for the future, and removes an
anomaly from the standard.

David

> -Mark Smith
>   Netscape

-- 
*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 161 745 8169
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500:  http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard

References:
- Re: Private email re LDAP and ;binary
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: Private email re LDAP and ;binary
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: Private email re LDAP and ;binary
Next by Date: RE: Private email re LDAP and ;binary
Index(es):
- Chronological
- Thread