[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ;binary migration solution

To: steven.legg@adacel.com.au
Subject: RE: ;binary migration solution
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sat, 30 Nov 2002 20:51:26 +0100
Cc: ietf-pkix@imc.org, ietf-ldapbis@OpenLDAP.org
In-reply-to: <005001c294d7$2e2ee560$a518200a@osmium.mtwav.adacel.com.au>
References: <HBF.20021121mwo0@bombur.uio.no> <005001c294d7$2e2ee560$a518200a@osmium.mtwav.adacel.com.au>

Steven Legg writes:
> As things stand today, we have a significant body of LDAPv3 compliant
> implementations that expect to get back "userCertificate;binary" from
> a request for "*".

I can think of a few ways to handle that, all of them ugly:

- Go back to my first suggestion.
  If an attribute is added with ;binary, it is returned with ;binary.
  Possibly unless it is asked for without ;binary, which causes
  the server to strip away ;binary in the result.
  Thus, the administrator can add certificates with ;binary if he
  has such clients.

  If the same site also has clients that wants userCertificate without
  ;binary, they lose.

- Treat ;binary as a normal tagging option.  Add userCertificate;binary
  and get userCertificate;binary back.  If there are also clients that
  want it without ;binary, add plain userCertificate as well.

- Let the attribute syntax handle ;binary.  If an attribute has a
  "binary syntax", it is returned with ;binary.

  This breaks clients which do not want ;binary added.

How common are clients like you describe, compared to
(a) clients that do not want ;binary and ask for userCertificate,
(b) clients that do not want ;binary and ask for *?

> In any phased migration away from the use of ";binary",
> at some point compliant directory servers will have to change from
> returning userCertificate;binary to just returning userCertificate and
> this will break currently conformant clients.
>
> David Chadwick is the only one who has proposed a safe way to
> effect a migration (using controls). However, since such a migration
> delivers no practical benefit to conformant PKI clients (just a different
> way of asking for the same thing), I think the pain of migration is
> not justified.

Yes, it may be just as well to keep asking for ;binary.

BTW, as far as I can tell, my and David's proposal make migration
more or less equally hard:

Client side:
- update to try DontUseBinary (David's) or to ask for ;binary (mine).
Server side:
- update to let syntaxes ensure binary transfer.
- update to handle DontUseBinary or no-op ;binary
Client side, when serveres have been upgraded:
- remove DontUseBinary (David's) or remove ;binary (mine).
Server side, when clients have been upgraded:
- remove support for DontUseBinary and ;binary.

-- 
Hallvard

References:
- Re: ;binary migration solution
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- RE: ;binary migration solution
  - From: "Steven Legg" <steven.legg@adacel.com.au>

Prev by Date: Re: Another problem with abandon
Index(es):
- Chronological
- Thread