[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: No-op LDAP ;binary option
- To: "'d.w.chadwick@salford.ac.uk'" <d.w.chadwick@salford.ac.uk>, steve.hanna@sun.com, rweiser@trustdst.com
- Subject: RE: No-op LDAP ;binary option
- From: Christopher Oliva <Chris.Oliva@entrust.com>
- Date: Thu, 21 Nov 2002 18:06:26 -0500
- Cc: "Housley, Russ" <rhousley@rsasecurity.com>, steve.hanna@East.Sun.COM, Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, ietf-pkix@imc.org, "Ramsay, Ron" <Ron.Ramsay@ca.com>, ietf-ldapbis@OpenLDAP.org
Title: RE: No-op LDAP ;binary option
David, I agree with the summary of the problem you've provided below .. in terms of basic ldapv3 interoperability, ;binary has been the number 1 problem I've encountered.
I prefer a solution that defines "userCertificate;binary" and "userCertificate" to have the same meaning .. that is, a request for userCertificate will return the same binary encoded value as a request for userCertificate;binary (and the attribute description returned will be userCertificate;binary if userCertificate;binary was requested).
Chris.
-----Original Message-----
From: d.w.chadwick@salford.ac.uk [mailto:d.w.chadwick@salford.ac.uk]
Sent: Thursday, November 21, 2002 4:52 PM
To: steve.hanna@sun.com; rweiser@trustdst.com
Cc: Housley, Russ; steve.hanna@East.Sun.COM; Hallvard B Furuseth;
ietf-pkix@imc.org; Ramsay, Ron
Subject: Re: No-op LDAP ;binary option
Date sent: Wed, 20 Nov 2002 16:39:26 -0700
From: Russel F Weiser <rweiser@trustdst.com>
Send reply to: rweiser@trustdst.com
Organization: Digital Signature Trust
To: steve.hanna@sun.com
Copies to: "Housley, Russ" <rhousley@rsasecurity.com>, steve.hanna@East.Sun.COM,
Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, ietf-pkix@imc.org,
"Ramsay, Ron" <Ron.Ramsay@ca.com>
Subject: Re: No-op LDAP ;binary option
> I strongly agree with Hallvard's solution!!!
> Cheers
> Russel F Weiser
>
This would be fine if userCertificate;binary was implemented by all LDAPv3
implementations according to the spec. But it isnt. Neither is it guaranteed that
LDAP servers will treat an LDAPv2 request for userCertificate the same as a v3
request for userCertificate;binary. Which they should. These are some of the
reasons why the whole topic of ;binary was re-visited by LDAPBIS earlier this
year. Chris Oliver from Entrust did a whole lot of interop testing and found
many bugs and problems in LDAP implementations. I would be interested in
Chris's views of Hallvard's proposal
�
David
>
> Steve Hanna wrote:
> >
> > Russ Housley wrote:
> > >I do not really care as long as we agree on ONE way to do it. We can come
> > >up with a transition strategy once there is an agreed to standard. I
> > >cannot accept multiple ways to ask for the same stuff.
> >
> > We need to support userCertificate;binary because that's what
> > the current spec and implementations support. The LDAPBIS
> > working group wants to transition to userCertificate.
> >
> > I don't think it's possible to meet both of these requirements
> > without having two ways to access the attribute. Why is it so
> > important to only have one way? Wouldn't a smooth transition
> > from userCertificate;binary to userCertificate be preferable?
> > Do you have some better idea? If so, please present it.
> >
> > Otherwise, I suggest we use Hallvard's simplest solution:
> > New servers MUST support userCertificate or userCertificate;binary
> > and treat them as identical. Clients SHOULD use userCertificate;binary.
> > Once the old servers are gone, we can say that clients SHOULD
> > use userCertificate.
> >
> > -Steve