[Top] [All Lists]

RE: which usercertificate attribute

2000-04-07 12:00:40
This sounds reasonable.

I presume that there's going to be a round of edits surrounding a magic date
in September...


-----Original Message-----
From: David P. Kemp [mailto:dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil]
Sent: Friday, April 07, 2000 10:22 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: which usercertificate attribute

The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.

RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs.  It mentions X.500 (presumably meaning
DAP) and DNS, but says:

  "At a minimum, for initial S/MIME deployment, a user agent
  could automatically generate a message to an intended recipient
  requesting that recipient's certificate in a signed return

For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment.  At that time, it should
also provide a little more guidance on interoperability.  I suggest:

  "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
  the LDAP v2 Schema (RFC 2587)."

The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory.  Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).

Dave Kemp

From: thayes(_at_)netscape(_dot_)com (Terry Hayes)

Thierry Van Doninck wrote:


When I use Netscape Communicator as a mail client, I can 'get' the 
certificates of my correspondents from a ldap directory.
Netscape however looks for a userSMIMEcertificate instead of a 

Which is the correct attribute to publish Certificates in ?
I would think that using 1 certificate for all applications would be a
more user friendly.

The userSMIMEcertificate attribute contains additional information about
SMIME recipient, in particular the preferred
encryption algorithms.  Without this information, the message sender has
guess what algorithms would be acceptable.  This is
why Communicator used userSMIMEcertificate.

More recent versions of SMIME support for Communicator (in particular the
security add-on) supports retrieval of the
certificates from both attributes in the directory.  In addition, PSM has 
support for automatically retrieving certificates
from your primary directory (address book) without manual intervention.

Terry Hayes