[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ;binary and userCertificate (Was: Private email ...)

To: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Subject: RE: ;binary and userCertificate (Was: Private email ...)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 20 Feb 2002 18:03:13 -0800
Cc: LDAP BIS <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <A7E3A4B51615D511BCB6009027D0D18C03DF509C@aspams01.ca.com>

At 05:00 PM 2002-02-20, Ramsay, Ron wrote:
>Where is your idea of returning an X500 DN by asking for dn;binary spelled
>out?

I was referring to attributes of DN syntax, not to a DN
of an entry.  Maybe using attributes of directoryString syntax
in the example would make a less confusing.

;binary applies to all attributes.  A client can request CN;binary,
member;binary, userCertificate;binary, etc..  In all cases, if the
server supports ;binary for that attribute, the server returns
BER encoded values.

It's spelled out in RFC 2251, Section 4.1.5.1.

One of its primary uses is in security applications, see
RFC 2252 9.2 (but s/Binary syntax/binary transfer/ in last
sentence for it to make sense).

>I would expect LDAP servers to regard the DN as a string and simply wrap it
>with an octet string tag. In fact, I don't remember any description of a
>non-string encoding of DN in the LDAP documents.

DNs transferred in fields of LDAPDN type in the protocol are
RFC 2253 strings.  Assertion and attribute values of distinguishName
syntax can be transferred using the native (octet) string
encoding, e.g. an RFC 2253 string, or using ;binary transfer,
e.g. BER.

>As regards your other arguments, I have trouble getting a handle on them.
>The only attributes that MUST be requested with ;binary are the certificate
>bunch. A client MUST always expect these to be returned with ;binary
>regardless of the request.

And the client MUST request them as ;binary.

RFC 2256:
   This attribute is to be stored and REQUESTED in the binary form, as
   'userCertificate;binary'.  (emphasis added)

RFC 2252:
   ... values in this syntax MUST only be transferred using the
   binary encoding, by requesting or returning the attributes
   with descriptions "userCertificate;binary" or
   "caCertificate;binary".

RFC 2256:
   clients MUST NOT expect servers to return an attribute in
   binary format if the client requested that attribute by name
   without the binary option.

A client which requests "userCertificate" (without ;binary)
does not conform to the specification.

>Requesting other attributes with ;binary just seems wrong.
>(I reject your notion that servers will perform some
>unspecified action to return a novel encoding of an attribute.

It's specified quite clearly in RFC 2251, 4.1.5.1.

>I do agree with Chris that ;binary was a BAD idea.

IMO, ;binary, as "intended" by 4.1.5.1, is a useful feature
of LDAPv3.

References:
- RE: ;binary and userCertificate (Was: Private email ...)
  - From: "Ramsay, Ron" <Ron.Ramsay@ca.com>

Prev by Date: RE: ;binary and userCertificate (Was: Private email ...)
Next by Date: RE: ;binary and userCertificate (Was: Private email ...)
Index(es):
- Chronological
- Thread