[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ;binary

To: Christopher Oliva <Chris.Oliva@entrust.com>
Subject: RE: ;binary
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 23 Feb 2002 09:54:02 -0800
Cc: Christopher Oliva <Chris.Oliva@entrust.com>, Christopher Oliva <Chris.Oliva@entrust.com>, ietf-ldapbis@OpenLDAP.org, "David Chadwick SMTP (E-mail)" <d.w.chadwick@salford.ac.uk>
In-reply-to: <BFB44293CE13C9419B7AFE7CBC35B9390120D6BE@sottmxs08.entrust .com>

At 07:57 AM 2002-02-22, Christopher Oliva wrote:
>I submit to you that this type of system can exist and that the revisions of LDAPbis and PKIX must account for the given ambiguity.

The LDAPbis, which is responsible for the LDAP "core" specification,
is addressing this ambiguity.  The current approach addresses
the ambiguity by removing a number of "possible" interpretations.

>I also suggest the perfect way to do this is to accept the suggestions for the new PKIX I-D.

Resolving this ambiguity is beyond the scope of the PKIX I-D.
The ambiguity is not within the specification of certificate schema,
but within the specification of LDAP attribute options and the
;binary transfer option.  This needs to be addressed in the
"core" specification.  Once addressed in the "core" specification,
extensions to the core should be made consistent with it.

I suggest that those who advocate an approach different from
that described in protocol-06 offer a specification of their
approach for WG review.

>If this -06 breaks the scenario I have described above, it should be changed in order to satisy existing ldapv3 compliant implementations.

Sorry, but I believe that the TS is quite clear in stating:
  A compliant implementation must request userCertificate using ;binary.
  A compliant implementation must return userCertificate using ;binary.

and quite clear in stating:
  A complaint implementation must not expect the return of
  userCertificate using ;binary unless it requested userCertificate
  using ;binary.

The only ambiguity I see is with the RFC 2251 statement that
an AttributeDescription with one or more options is treated
as a subtype of the attribute type without any options.  However,
this is a general statement.  More specific statements should be
viewed as trumping it.  In particular, RFC 2251 continues to
describe binary option in a manner which doesn't treat an
an attribute type with the binary option as a subtype of
of the attribute type without the binary option.  That is,
"userCertificate;binary" and "userCertificate" don't refer
to distinct attributes but return to the same attribute. The
;binary only affects transfer of that attribute.

To avoid going in circles on this, I think we should agree to
disagree.

Kurt

Prev by Date: RE: ;binary
Next by Date: Service name + host check [Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard]
Index(es):
- Chronological
- Thread