[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A plan for PKIX, LDAPv3, and ;binary

To: David Chadwick <d.w.chadwick@salford.ac.uk>
Subject: Re: A plan for PKIX, LDAPv3, and ;binary
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 24 Nov 2002 20:48:51 -0800
Cc: Christopher Oliva <Chris.Oliva@entrust.com>, ietf-pkix@imc.org, ietf-ldapbis@OpenLDAP.org
In-reply-to: <3DE17107.2FA821E0@salford.ac.uk>
References: <5.1.0.14.0.20021121203851.0351b190@127.0.0.1>

I guess I wasn't clear enough in what I said.  I meant:

  a) Some clients which request (using LDAPv3) "userCertificate"
     expect "userCertificate" to be returned.
  b) Some clients which request (using LDAPv3) "userCertificate"
     expect "userCertificate;binary" to be returned.

But I'll revise my conclusion a bit...

This makes it hard for a server to support both.  The
plan gives the choice of whether to support neither,
one or the other, or both to the implementor.  I list
both here because the implementor could return the
attribute twice (once as "userCertificate", once as
"userCertificate;binary").

Basically, the specification needs to detail the definitive
mechanism for requesting and transferring certificates in
LDAP.  Beyond that, we need to very careful not to disallow
implementations from being "liberal" with "non-strict" peers.

Kurt

References:
- RE: A plan for PKIX, LDAPv3, and ;binary
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: A plan for PKIX, LDAPv3, and ;binary
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>

Prev by Date: RE: Failed or Abandoned Bind operations
Next by Date: I-D ACTION:draft-ietf-ldapbis-syntaxes-03.txt
Index(es):
- Chronological
- Thread