[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: CA strong binds

To: 'Sean Turner' <turners@ieca.com>, 'PKIX' <ietf-pkix@imc.org>, 'Ldapext' <ietf-ldapext@netscape.com>, 'Dave Horvath' <David.Horvath@chromatix.com>
Subject: RE: CA strong binds
From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
Date: Tue, 13 Oct 1998 15:21:51 -0400
Resent-date: Tue, 13 Oct 1998 12:22:06 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"uRyS91.0.oG.QXw8s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Dave, 

I believe the discussion may have been related to "which data blob" goes
into the protocol exchange when performing an operation that calls out
"userCertificate", if the user is a CA.  Does the CA certificate (with a
different oid) get inserted into the exchange or does this require that
the CA also maintain a certificate (identical information?) with the oid
of a userCertificate.  

I realize this should be transparent, but wonder if others have
experiences with this.

Sandi

>----------
>From: 	Dave Horvath[SMTP:David.Horvath@chromatix.com]
>Sent: 	Tuesday, October 13, 1998 2:44 PM
>To: 	Sean Turner; PKIX; Ldapext
>Subject: 	Re: CA strong binds
>
>
>Sean,
>
>    The only requirement that we have for the SafePages LDAP/X.500 products
>is that the certificate must have the digitalSignature bit asserted in the
>keyUsage field if it is a Version 3 certificate with the keyUsage extension
>present.    The other bits and the cA flag in the basicConstraints
>extensions are not consulted.
>
>    The existence or the location of the certificate in the repository does
>not play a role for authentication.
>
>Dave Horvath
>
>-----Original Message-----
>From: Sean Turner <turners@ieca.com>
>To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
>Date: Tuesday, October 13, 1998 1:41 PM
>Subject: CA strong binds
>
>
>>All,
>>
>>Appologies in advance if you get two of this message but I wasn't sure
>>which list to send the message to.
>>
>>Recently some colleagues and I have been arguing whether applications
>>will choke when looking for CA certificates in
>>CertificationPath.userCertificate.  For example, when a CA binds to an
>>LDAP server (using say the X.509 Authentication  SASL Mechanism I-D)
>>the CA's certificate will be passed in
>>certification-path.userCertificate and the CA's superiors certificates
>>are passed in certication-path.theCACertificates.  Will applications
>>choke when trying to process the CA certificate from a field called
>>userCertificate or when trying to look for a "user's certificate"
>>which is in a CA's directory entry?
>>
>>I know the name of the field shouldn't be confused with the value that
>>goes into it, but we were concerned that many of the specifications
>>were clear on where CA certificates should be put when attempting to
>>perform strong binds to the directory.
>>
>>Any thoughts - implementation experience?
>>
>>Thanks,
>>
>>spt
>>
>>
>
>

Follow-Ups:
- Re: CA strong binds
  - From: David Horvath <dave@chromatix.com>

Prev by Date: RE: CA strong binds
Next by Date: Re: (c.harding 21539) Re: Some questions regarding LDAP schema registration
Index(es):
- Chronological
- Thread