[Date Prev][Date Next] [Chronological] [Thread] [Top]

crossCertificatePair, what exactly should the contents be?

I'm gonna admit to being a bit frustrated about the
crossCertificatePair attribute.  I want to know what the contents
should be.  Two DER blobs in sequence, where the first is the forward
cerificate and the second is the reverse certificate?  A certs-only
PKCS#7 thingy?  A PKCS#12 thingy?

I mean, in RFC2252, I get to know the following about the defined
syntax for that attribute:

6.7. Certificate Pair

   ( DESC 'Certificate Pair' )

   Because the Certificate is being carried in binary, values in this
   syntax MUST only be transferred using a binary encoding, by
   requesting or returning the attribute description
   "crossCertificatePair;binary". The BNF notation in RFC 1778 for
   "Certificate Pair" is not recommended to be used.

Really?  Not look in RFC1778?  Cool, then I know what NOT to do.

It looks like there's a draft that would define the syntax a little
better: draft-ietf-pkix-ldap-pki-schema-00.txt.  It basically says
that the value "is the octet string that results from the BER/DER-
encoding an X.509 public key certificate pair".  However, I still
don't know what a "public key certificate pair" exactly is in this
context.  Is it a "SEQUENCE { issuedToThisCA Certificate,
issuedByThisCA Certificate }" or what?

Please help.  If nothing else, please point me at documentation that
really defines this, not just the vague mumblage that I've found so

And I realise that this is not the fault of anyone on this list.  I'm
not blaming anyone, just a bit frustrated.

Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.