ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: which usercertificate attribute

2000-04-07 12:00:40
from [Blake Ramsdell] [Permanent Link] 
This sounds reasonable.

I presume that there's going to be a round of edits surrounding a magic date
in September...

Blake

-----Original Message-----
From: David P. Kemp [mailto:dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil]
Sent: Friday, April 07, 2000 10:22 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: which usercertificate attribute


The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.

RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs.  It mentions X.500 (presumably meaning
DAP) and DNS, but says:

  "At a minimum, for initial S/MIME deployment, a user agent
  could automatically generate a message to an intended recipient
  requesting that recipient's certificate in a signed return
  message."

For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment.  At that time, it should
also provide a little more guidance on interoperability.  I suggest:

  "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
  the LDAP v2 Schema (RFC 2587)."

The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory.  Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).

Dave Kemp






From: thayes(_at_)netscape(_dot_)com (Terry Hayes)

Thierry Van Doninck wrote:


Hi,

When I use Netscape Communicator as a mail client, I can 'get' the 

certificates of my correspondents from a ldap directory.

Netscape however looks for a userSMIMEcertificate instead of a 

userCertificate.


Which is the correct attribute to publish Certificates in ?
I would think that using 1 certificate for all applications would be a

lot 
more user friendly.




The userSMIMEcertificate attribute contains additional information about

the 
SMIME recipient, in particular the preferred

encryption algorithms.  Without this information, the message sender has

to 
guess what algorithms would be acceptable.  This is

why Communicator used userSMIMEcertificate.

More recent versions of SMIME support for Communicator (in particular the

PSM 
security add-on) supports retrieval of the

certificates from both attributes in the directory.  In addition, PSM has 

support for automatically retrieving certificates

from your primary directory (address book) without manual intervention.

Terry Hayes
thayes(_at_)netscape(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: which usercertificate attribute, David P. Kemp
Next by Date:  Re: which usercertificate attribute, Peter Gutmann
Previous by Thread:  Re: which usercertificate attribute, Russ Housley
Next by Thread:  Re: which usercertificate attribute, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]