the ;binary PKI question

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

While presently the revised LDAPv3 core TS I-Ds (produced by
LDAPBIS WG) and the PKI LDAP Schema I-D (produced by the PKIX WG)
do not rely on ;binary option, it should be noted that the PKIX
WG has apparently not yet reached consensus regarding how
certificates attributes are to be requested and transferred in
LDAP.  The PKIX WG is currently considering the
"userCertificate;binary" v. "userCertificate" question.

It should be noted that LDAPBIS's prior decisions to remove
PKI schema and ;binary feature from its I-Ds should not be
viewed as precluding either choice.  While the
"userCertificate;binary" would require a specification of
the ;binary option, a ;binary option specified as an
extension to the LDAP "core" technical may be sufficient to
meet PKIX needs.  And, if its demonstrated that it this is
insufficient, prior decisions can be reconsidered.

However, before any reconsideration, we first need PKIX WG to
reach consensus on the "userCertificate;binary" v.
"userCertificate" question and, if the choice is to
support "userCertificate;binary", explore specification of
;binary as an extension.

So, while this thread is interesting and quite welcomed to
continue, I would like to stress that the "userCertificate;binary"
v. "userCertificate" issue is still an open question.  As this
question is "owned" by PKIX, please make sure that all relevant
comments are posted to the PKIX WG.

Kurt, LDAPBIS co-chair