[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: CA strong binds
Sandi,
I don't believe the OID of the attribute (indicating where the
certificate came from) is included in the certification path as defined
in X.509.
Dave H
Miklos, Sue A. wrote:
>
> Dave,
>
> I believe the discussion may have been related to "which data blob" goes
> into the protocol exchange when performing an operation that calls out
> "userCertificate", if the user is a CA. Does the CA certificate (with a
> different oid) get inserted into the exchange or does this require that
> the CA also maintain a certificate (identical information?) with the oid
> of a userCertificate.
>
> I realize this should be transparent, but wonder if others have
> experiences with this.
>
> Sandi
>
> >----------
> >From: Dave Horvath[SMTP:David.Horvath@chromatix.com]
> >Sent: Tuesday, October 13, 1998 2:44 PM
> >To: Sean Turner; PKIX; Ldapext
> >Subject: Re: CA strong binds
> >
> >
> >Sean,
> >
> > The only requirement that we have for the SafePages LDAP/X.500 products
> >is that the certificate must have the digitalSignature bit asserted in the
> >keyUsage field if it is a Version 3 certificate with the keyUsage extension
> >present. The other bits and the cA flag in the basicConstraints
> >extensions are not consulted.
> >
> > The existence or the location of the certificate in the repository does
> >not play a role for authentication.
> >
> >Dave Horvath
> >
> >-----Original Message-----
> >From: Sean Turner <turners@ieca.com>
> >To: PKIX <ietf-pkix@imc.org>; Ldapext <ietf-ldapext@netscape.com>
> >Date: Tuesday, October 13, 1998 1:41 PM
> >Subject: CA strong binds
> >
> >
> >>All,
> >>
> >>Appologies in advance if you get two of this message but I wasn't sure
> >>which list to send the message to.
> >>
> >>Recently some colleagues and I have been arguing whether applications
> >>will choke when looking for CA certificates in
> >>CertificationPath.userCertificate. For example, when a CA binds to an
> >>LDAP server (using say the X.509 Authentication SASL Mechanism I-D)
> >>the CA's certificate will be passed in
> >>certification-path.userCertificate and the CA's superiors certificates
> >>are passed in certication-path.theCACertificates. Will applications
> >>choke when trying to process the CA certificate from a field called
> >>userCertificate or when trying to look for a "user's certificate"
> >>which is in a CA's directory entry?
> >>
> >>I know the name of the field shouldn't be confused with the value that
> >>goes into it, but we were concerned that many of the specifications
> >>were clear on where CA certificates should be put when attempting to
> >>perform strong binds to the directory.
> >>
> >>Any thoughts - implementation experience?
> >>
> >>Thanks,
> >>
> >>spt
> >>
> >>
> >
> >