[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userCertificate question

To: Michael Luich <mluich@stonesrose.com>
Subject: Re: userCertificate question
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 18 Sep 2009 16:07:24 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <d1e924380909180700qb2894a2h4fef026b97a7d42b@mail.gmail.com>
References: <d1e924380909180700qb2894a2h4fef026b97a7d42b@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18

Michael Luich wrote:
> Does userCertificate, userSMIMECertificate, and userPKCS12 store the
> users public or private key?

'userCertificate' is used solely to store the raw X.509 public-key cert.

'userSMIMECertificate' was meant to store a PKCS#7 blob signed by the entity
itself with the entity's X.509 public-key cert attached. It was possible for
an end-user with Netscape Communicator 4.x to send such a PKCS#7 blob to a
LDAP directory. I don't know any deployment which does that today.

'userPKCS12' contains a PKCS#12 blob which besides a cert chain potentially
contains the entity's private key hopefully all encrypted with a passphrase.
Again: I don't know any deployment which does that. Maybe in some Windows/AD
environment. However this could be helpful e.g. in a webmail deployment
together with S/MIME support.

Ciao, Michael.

-- 
Michael Ströder
E-Mail: michael@stroeder.com
http://www.stroeder.com

References:
- userCertificate question
  - From: Michael Luich <mluich@stonesrose.com>

Prev by Date: attribute writing: can an overlay do this?
Next by Date: Re: attribute writing: can an overlay do this?
Index(es):
- Chronological
- Thread