[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)

Erwann Abalea wrote:
> Hodie III Kal. Feb. MMX, Howard Chu scripsit:

(Sorry, just had to laugh, using a ~3000 year old language in email...)

>> erwann.abalea@keynectis.com wrote:

>> Also note that, technically, LDAP is defined to conform to the 1993
>> edition of the X.500 specs, and X.509(1993) makes no such allowance
>> here.
> I didn't know that LDAP was designed to conform to a specific edition
> of the standard. Isn't that strange? After all, it should also refuse
> to handle X.509v2 CRLs, and X.509v3 certificates, which appear for the
> first time in the 1997 edition.
> Anyway, I hadn't thought about looking at older revisions of the X.509
> standard. You're right, my 1997 edition doesn't say anything about
> this, and my 2000 edition (a french version) has the same text as the
> 2005 one.

See RFC4510, section 2. Yes, it's certainly an inconsistency in the LDAP spec, 
that RFC4513 requires use of subjectAltNames which clearly require X.509v3 
certs but the only normative references to the necessary edition of X.509 is 
outside the core specification. (Looking again I see that RFC4523 references 
X.509(2000) so it appears that some portions of newer X.500 editions are being 
incorporated, piecemeal...)

> Anyway, thank you again. I'll test the head version and will come back
> later.

> BTW, what do you mean by "needs some thought" (in the ticket notes)?

I hadn't decided yet if slapd should log a warning for this or not.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/