Re: CA strong binds

[Dave Horvath <David.Horvath@chromatix.com>]

Sean,

    The only requirement that we have for the SafePages LDAP/X.500 products
is that the certificate must have the digitalSignature bit asserted in the
keyUsage field if it is a Version 3 certificate with the keyUsage extension
present.    The other bits and the cA flag in the basicConstraints
extensions are not consulted.

    The existence or the location of the certificate in the repository does
not play a role for authentication.

Dave Horvath

-----Original Message-----
From: Sean Turner <turners@ieca.com>
To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
Date: Tuesday, October 13, 1998 1:41 PM
Subject: CA strong binds


>All,
>
>Appologies in advance if you get two of this message but I wasn't sure
>which list to send the message to.
>
>Recently some colleagues and I have been arguing whether applications
>will choke when looking for CA certificates in
>CertificationPath.userCertificate.  For example, when a CA binds to an
>LDAP server (using say the X.509 Authentication  SASL Mechanism I-D)
>the CA's certificate will be passed in
>certification-path.userCertificate and the CA's superiors certificates
>are passed in certication-path.theCACertificates.  Will applications
>choke when trying to process the CA certificate from a field called
>userCertificate or when trying to look for a "user's certificate"
>which is in a CA's directory entry?
>
>I know the name of the field shouldn't be confused with the value that
>goes into it, but we were concerned that many of the specifications
>were clear on where CA certificates should be put when attempting to
>perform strong binds to the directory.
>
>Any thoughts - implementation experience?
>
>Thanks,
>
>spt
>
>