[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA strong binds

To: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
Subject: Re: CA strong binds
From: David Horvath <dave@chromatix.com>
Date: Wed, 14 Oct 1998 11:56:32 -0400
Cc: 'Sean Turner' <turners@ieca.com>, 'PKIX' <ietf-pkix@imc.org>, 'Ldapext' <ietf-ldapext@netscape.com>, 'Dave Horvath' <David.Horvath@chromatix.com>
Organization: @Home Network
References: <c=US%a=_%p=ExchangeNSA%l=AVENGER-981013192151Z-14363@avenger.missi.ncsc.mil>
Resent-date: Tue, 13 Oct 1998 20:48:04 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"hGAQF1.0.8H2.ox19s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Sandi,

	I don't believe the OID of the attribute (indicating where the
certificate came from) is included in the certification path as defined
in X.509.

Dave H

Miklos, Sue A. wrote:
> 
> Dave,
> 
> I believe the discussion may have been related to "which data blob" goes
> into the protocol exchange when performing an operation that calls out
> "userCertificate", if the user is a CA.  Does the CA certificate (with a
> different oid) get inserted into the exchange or does this require that
> the CA also maintain a certificate (identical information?) with the oid
> of a userCertificate.
> 
> I realize this should be transparent, but wonder if others have
> experiences with this.
> 
> Sandi
> 
> >----------
> >From:  Dave Horvath[SMTP:David.Horvath@chromatix.com]
> >Sent:  Tuesday, October 13, 1998 2:44 PM
> >To:    Sean Turner; PKIX; Ldapext
> >Subject:       Re: CA strong binds
> >
> >
> >Sean,
> >
> >    The only requirement that we have for the SafePages LDAP/X.500 products
> >is that the certificate must have the digitalSignature bit asserted in the
> >keyUsage field if it is a Version 3 certificate with the keyUsage extension
> >present.    The other bits and the cA flag in the basicConstraints
> >extensions are not consulted.
> >
> >    The existence or the location of the certificate in the repository does
> >not play a role for authentication.
> >
> >Dave Horvath
> >
> >-----Original Message-----
> >From: Sean Turner <turners@ieca.com>
> >To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
> >Date: Tuesday, October 13, 1998 1:41 PM
> >Subject: CA strong binds
> >
> >
> >>All,
> >>
> >>Appologies in advance if you get two of this message but I wasn't sure
> >>which list to send the message to.
> >>
> >>Recently some colleagues and I have been arguing whether applications
> >>will choke when looking for CA certificates in
> >>CertificationPath.userCertificate.  For example, when a CA binds to an
> >>LDAP server (using say the X.509 Authentication  SASL Mechanism I-D)
> >>the CA's certificate will be passed in
> >>certification-path.userCertificate and the CA's superiors certificates
> >>are passed in certication-path.theCACertificates.  Will applications
> >>choke when trying to process the CA certificate from a field called
> >>userCertificate or when trying to look for a "user's certificate"
> >>which is in a CA's directory entry?
> >>
> >>I know the name of the field shouldn't be confused with the value that
> >>goes into it, but we were concerned that many of the specifications
> >>were clear on where CA certificates should be put when attempting to
> >>perform strong binds to the directory.
> >>
> >>Any thoughts - implementation experience?
> >>
> >>Thanks,
> >>
> >>spt
> >>
> >>
> >
> >

References:
- RE: CA strong binds
  - From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>

Prev by Date: Re: CA strong binds
Next by Date: Re: VLV indices and multi-value attributes
Index(es):
- Chronological
- Thread