[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ;binary and userCertificate (Was: Private email ...)

To: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Subject: RE: ;binary and userCertificate (Was: Private email ...)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 21 Feb 2002 00:34:25 -0800
Cc: LDAP BIS <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <A7E3A4B51615D511BCB6009027D0D18C03E06F50@aspams01.ca.com>

At 10:59 PM 2002-02-20, Ramsay, Ron wrote:
>Kurt,
>
>It seems that much of your argument hinges on ASN.1 definitions of LDAP
>syntaxes. You referred me to RFC 2252 Section 4.3.2 for this. I read that
>section but could find no ASN.1 definitions.

RFC 2251 says:
   The syntax of the binary value is an ASN.1 data type definition
   which is referenced by the "SYNTAX" part of the attribute type
   definition.

That reference is provided, for most every syntax (including
certificate) by the table in RFC 2252, 4.3.2.

>You also seem to think there are two ways to use DNs,

In LDAPv3, you can transfer each and every value syntax in
two ways. You can transfer the string representation or
you can transfer a BER representation.

>in particular, the use
>of a DN as an attribute value allows the X.500 encoding. But look at Section
>6.9 of RFC 2252 -
>
>   Values in the Distinguished Name syntax are encoded to have the
>   representation defined in [5].  Note that this representation is not
>   reversible to an ASN.1 encoding used in X.500 for Distinguished
>   Names, as the CHOICE of any DirectoryString element in an RDN is no
>   longer known.
>
>That is, ALL DNs are strings and no other definition exists for them.

That's paragraph is not precise.  Each DN has multiple string 
representations.  While some of these representations may not
be reversible, each DN does have a reversible string
representation.  That form should be used when reversibility
is desired.

>You also make some statement about X.500 gateways.

I make statements about LDAP/DAP gateways.  The term "X.500
gateway" is misleading as both LDAP and DAP are access protocols
to X.500 directories.

>If gatewaying were part of the LDAP standard

I never said it was.  But LDAP is certainly designed to allow
implementation of DAP/LDAP gateways.

>Regarding the ;binary encoding of attributes on the mailing list, I just
>read, memorise and delete. I think Tim Howes was advising someone about
>wrapping strings, particularly that there would be two octet string tags
>around the string.

If, you transfer without ;binary, the AttributeValue, an OCTET STRING, contains just the octets of the value.  E.g. an AttributeValue
transferring userPassword:foo is encoded as the octets 04 03 66 6F 6F,
not 04 05 04 03 66 6F 6F.

However, If you use ;binary to transfer a value of OCTET STRING
syntax, then the AttributeValue, itself an OCTET STRING, contains
the BER encoding of the value.  For example, the AttributeValue
transferring userPassword;binary:foo is encoded as the octets
04 05 04 03 66 6F 6F not 04 03 66 6F 6F.

Kurt

References:
- RE: ;binary and userCertificate (Was: Private email ...)
  - From: "Ramsay, Ron" <Ron.Ramsay@ca.com>

Prev by Date: RE: ;binary and userCertificate (Was: Private email ...)
Next by Date: Re: ;binary and userCertificate (Was: Private email ...)
Index(es):
- Chronological
- Thread