[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA strong binds

To: Santosh Chokhani <chokhani@cygnacom.com>
Subject: Re: CA strong binds
From: David Horvath <dave@chromatix.com>
Date: Wed, 14 Oct 1998 11:43:52 -0400
Cc: 'Dave Horvath' <David.Horvath@chromatix.com>, Sean Turner <turners@ieca.com>, PKIX <ietf-pkix@imc.org>, Ldapext <ietf-ldapext@netscape.com>
Organization: @Home Network
References: <51BF55C30B4FD1118B4900207812701E20B0CD@WUHER>
Resent-date: Tue, 13 Oct 1998 20:35:34 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"9W0NB.0.a52.xl19s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Santosh,

	Good question.  I believe we will reject the signature verification
even if the extension is not marked critical, as long as the ASN.1 is
decoded properly, but I will have to verify.

Dave Horvath

Santosh Chokhani wrote:
> 
> Dave:
> 
> I assume the digital signature bit is required to be turned only if the
> key usage extension is marked critical.
> 
> > -----Original Message-----
> > From: Dave Horvath [SMTP:David.Horvath@chromatix.com]
> > Sent: Tuesday, October 13, 1998 2:44 PM
> > To:   Sean Turner; PKIX; Ldapext
> > Subject:      Re: CA strong binds
> >
> >
> > Sean,
> >
> >     The only requirement that we have for the SafePages LDAP/X.500
> > products
> > is that the certificate must have the digitalSignature bit asserted in
> > the
> > keyUsage field if it is a Version 3 certificate with the keyUsage
> > extension
> > present.    The other bits and the cA flag in the basicConstraints
> > extensions are not consulted.
> >
> >     The existence or the location of the certificate in the repository
> > does
> > not play a role for authentication.
> >
> > Dave Horvath
> >
> > -----Original Message-----
> > From: Sean Turner <turners@ieca.com>
> > To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
> > Date: Tuesday, October 13, 1998 1:41 PM
> > Subject: CA strong binds
> >
> >
> > >All,
> > >
> > >Appologies in advance if you get two of this message but I wasn't
> > sure
> > >which list to send the message to.
> > >
> > >Recently some colleagues and I have been arguing whether applications
> > >will choke when looking for CA certificates in
> > >CertificationPath.userCertificate.  For example, when a CA binds to
> > an
> > >LDAP server (using say the X.509 Authentication  SASL Mechanism I-D)
> > >the CA's certificate will be passed in
> > >certification-path.userCertificate and the CA's superiors
> > certificates
> > >are passed in certication-path.theCACertificates.  Will applications
> > >choke when trying to process the CA certificate from a field called
> > >userCertificate or when trying to look for a "user's certificate"
> > >which is in a CA's directory entry?
> > >
> > >I know the name of the field shouldn't be confused with the value
> > that
> > >goes into it, but we were concerned that many of the specifications
> > >were clear on where CA certificates should be put when attempting to
> > >perform strong binds to the directory.
> > >
> > >Any thoughts - implementation experience?
> > >
> > >Thanks,
> > >
> > >spt
> > >
> > >

References:
- RE: CA strong binds
  - From: Santosh Chokhani <chokhani@cygnacom.com>

Prev by Date: Re: (c.harding 21539) Re: Some questions regarding LDAP schema registration
Next by Date: Re: CA strong binds
Index(es):
- Chronological
- Thread