[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: CA strong binds
Dave:
I assume the digital signature bit is required to be turned only if the
key usage extension is marked critical.
> -----Original Message-----
> From: Dave Horvath [SMTP:David.Horvath@chromatix.com]
> Sent: Tuesday, October 13, 1998 2:44 PM
> To: Sean Turner; PKIX; Ldapext
> Subject: Re: CA strong binds
>
>
> Sean,
>
> The only requirement that we have for the SafePages LDAP/X.500
> products
> is that the certificate must have the digitalSignature bit asserted in
> the
> keyUsage field if it is a Version 3 certificate with the keyUsage
> extension
> present. The other bits and the cA flag in the basicConstraints
> extensions are not consulted.
>
> The existence or the location of the certificate in the repository
> does
> not play a role for authentication.
>
> Dave Horvath
>
> -----Original Message-----
> From: Sean Turner <turners@ieca.com>
> To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
> Date: Tuesday, October 13, 1998 1:41 PM
> Subject: CA strong binds
>
>
> >All,
> >
> >Appologies in advance if you get two of this message but I wasn't
> sure
> >which list to send the message to.
> >
> >Recently some colleagues and I have been arguing whether applications
> >will choke when looking for CA certificates in
> >CertificationPath.userCertificate. For example, when a CA binds to
> an
> >LDAP server (using say the X.509 Authentication SASL Mechanism I-D)
> >the CA's certificate will be passed in
> >certification-path.userCertificate and the CA's superiors
> certificates
> >are passed in certication-path.theCACertificates. Will applications
> >choke when trying to process the CA certificate from a field called
> >userCertificate or when trying to look for a "user's certificate"
> >which is in a CA's directory entry?
> >
> >I know the name of the field shouldn't be confused with the value
> that
> >goes into it, but we were concerned that many of the specifications
> >were clear on where CA certificates should be put when attempting to
> >perform strong binds to the directory.
> >
> >Any thoughts - implementation experience?
> >
> >Thanks,
> >
> >spt
> >
> >