Re: ;binary migration solution

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

d.w.chadwick@salford.ac.uk writes:
> I am not sure that this solves the migration problem since you are
> giving rules that have to be obeyed by existing systems, which they
> cant do if they are not upgraded. My "control" solution did not effect
> existing systems, only new systems. This was the point in having a
> migration solution.

As Kurt mentioned, you should send your suggestion to ietf-pkix@imc.org.
(And then maybe I should send this letter there too, unless you
tell me where I'm wrong or address this posting in your pkix message.)

Anyway, I don't see what you mean.

With my original suggesetion, the migration solution on the client side
is simply to make no changes and keep asking for userCertificate;binary.
That will handle both old and new servers.

The final step of the migration on the client side, to remove the
migration solution (not use ";binary" or a "don't use binary" control),
must in either case wait until one trusts that all serveres the client
will use have been upgraded.

The same step on the server side must in both cases wait until one
trusts that no clients that use the server, use the migration solution.

Have I missed something?


Well, I may have missed to handle update operations, though.  When
"userCertificate;binary" is added (with the add/modify operation) today,
does the server remove ";binary" and store the name "userCertificate"?
If so, my version of ";binary" should do the same.

-- 
Hallvard