[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A plan for PKIX, LDAPv3, and ;binary

To: ietf-pkix@imc.org, ietf-ldapbis@OpenLDAP.org
Subject: Re: A plan for PKIX, LDAPv3, and ;binary
From: Harald Koch <chk@pobox.com>
Date: Fri, 22 Nov 2002 09:47:44 -0500
In-reply-to: Kurt's message of "Thu, 21 Nov 2002 20:15:24 -0500". <5.1.0.14.0.20021121192156.03522c10@127.0.0.1>
References: <5.1.0.14.0.20021121192156.03522c10@127.0.0.1>

>  There are clients which
> expect:
>         a) return the certificate using "userCertificate;binary" or
>         b) return the certificate using "userCertificate".
> 
> (as well as clients which accept either)

The problem is complicated by the fact that there are LDAPv3 *servers*,
some that expect 'userCertificate;binary' and some that expect
'userCertificate'.

Then there are servers that support either, and will return whichever
attribute name they think is correct, regardless of the request.

Then there are implementations that perform searches on, and return,
whichever name was used to store the certificate, without treating the
;binary transfer option specially. Requesting 'userCertificate' would
not return any 'userCertificate;binary' attribute stored in the entry,
and vice versa.

(IIRC, one older server could even store *both* userCertificate and
 userCertificate;binary in a single directory entry as separate,
 multi-valued attributes :-).

So sadly, the only thing a truly interoperable client can do is request
both and accept both; performing two searches and merging the results.
Nothing else covers all current implementations, in my implementation
experience.

-- 
Harald Koch     <chk@pobox.com>

References:
- RE: A plan for PKIX, LDAPv3, and ;binary
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Syntaxes: '$' in Teletex Terminal Identifier
Next by Date: Re: Continuation reference to root DN
Index(es):
- Chronological
- Thread