[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ;binary and userCertificate (Was: Private email ...)
Kurt,
Comments inline - see [RR].
Ron.
-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, 21 February 2002 19:34
To: Ramsay, Ron
Cc: LDAP BIS
Subject: RE: ;binary and userCertificate (Was: Private email ...)
At 10:59 PM 2002-02-20, Ramsay, Ron wrote:
>Kurt,
>
>It seems that much of your argument hinges on ASN.1 definitions of LDAP
>syntaxes. You referred me to RFC 2252 Section 4.3.2 for this. I read that
>section but could find no ASN.1 definitions.
RFC 2251 says:
The syntax of the binary value is an ASN.1 data type definition
which is referenced by the "SYNTAX" part of the attribute type
definition.
That reference is provided, for most every syntax (including
certificate) by the table in RFC 2252, 4.3.2.
[RR] If you search RFC 2252 for "SYNTAX" you will see there is no ASN.1 data
type definition. There is an object identifier. We could go to the table,
which you seem to regard as a reference to X.520, but look at a complex
type, PresentationAddress, for example.
Values in this syntax are encoded with the representation described
in RFC 1278 [6].
This is not ASN.1!
>You also seem to think there are two ways to use DNs,
In LDAPv3, you can transfer each and every value syntax in
two ways. You can transfer the string representation or
you can transfer a BER representation.
[RR] That's what you say!
>in particular, the use
>of a DN as an attribute value allows the X.500 encoding. But look at
Section
>6.9 of RFC 2252 -
>
> Values in the Distinguished Name syntax are encoded to have the
> representation defined in [5]. Note that this representation is not
> reversible to an ASN.1 encoding used in X.500 for Distinguished
> Names, as the CHOICE of any DirectoryString element in an RDN is no
> longer known.
>
>That is, ALL DNs are strings and no other definition exists for them.
That's paragraph is not precise. Each DN has multiple string
representations. While some of these representations may not
be reversible, each DN does have a reversible string
representation. That form should be used when reversibility
is desired.
[RR] Pardon! Please provide an example. A reference would also be nice. But
thanks for the information that RFC 2252 is not to be believed - I think it
cancels all of your arguments.
>You also make some statement about X.500 gateways.
I make statements about LDAP/DAP gateways. The term "X.500
gateway" is misleading as both LDAP and DAP are access protocols
to X.500 directories.
>If gatewaying were part of the LDAP standard
I never said it was. But LDAP is certainly designed to allow
implementation of DAP/LDAP gateways.
[RR] Desiged how? Could you give me a reference.
>Regarding the ;binary encoding of attributes on the mailing list, I just
>read, memorise and delete. I think Tim Howes was advising someone about
>wrapping strings, particularly that there would be two octet string tags
>around the string.
If, you transfer without ;binary, the AttributeValue, an OCTET STRING,
contains just the octets of the value. E.g. an AttributeValue
transferring userPassword:foo is encoded as the octets 04 03 66 6F 6F,
not 04 05 04 03 66 6F 6F.
However, If you use ;binary to transfer a value of OCTET STRING
syntax, then the AttributeValue, itself an OCTET STRING, contains
the BER encoding of the value. For example, the AttributeValue
transferring userPassword;binary:foo is encoded as the octets
04 05 04 03 66 6F 6F not 04 03 66 6F 6F.
[RR] Didn't I say precisely this?
Kurt