[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
;binary migration solution
Dear All
I have a suggestion to solve the migration of systems that currently use
;binary for certificates, to future ones that wont (according to the
latest spec).
A new control is defined "Dont Use ;binary" that is always set to
critical by new systems (clients) that implement the latest LDAPv3
protocol.
An old (existing) LDAPv3 server that supports ;binary wont understand
the control and will reply "unavailable critical extension". The client
will then remove the control and expect to receive
userCertificate;binary in the reply.
A new LDAPv3 server that understands the control and knows that ;binary
has been removed from LDAPv3, and that the native encoding for
certificates as defined in the PKIX draft is BER encoding, will return
the certificate without ;binary.
Old clients and old servers will continue to use ;binary for
certificates until they migrate.
An old client wont set the new control, so a new server that has removed
the need for ;binary must still send the certificate using ;binary
attribute descriptions, so as to cater for the old client.
Once all systems have moved over to not using ;binary, (ie. all clients
and servers understand the new control) then the need for the new "Dont
Use ;binary" control can be deprecated as it is no longer necessary.
Comments?
Regards
David
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351 Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page: http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500: http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************