ietf-smime
[Top] [All Lists]

Re: which usercertificate attribute

2000-04-10 13:59:22
Dave:

I am not convinced that LDAP support is a MUST requirement. S/MIMEv2 included a mechanism to support clients that are directory-impaired. So far, this capability has remained in S/MIMEv3.

If LDAP is supported, then I agree with the things you say.

Russ


At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.

RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs.  It mentions X.500 (presumably meaning
DAP) and DNS, but says:

  "At a minimum, for initial S/MIME deployment, a user agent
  could automatically generate a message to an intended recipient
  requesting that recipient's certificate in a signed return
  message."

For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment.  At that time, it should
also provide a little more guidance on interoperability.  I suggest:

  "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
  the LDAP v2 Schema (RFC 2587)."

The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory.  Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).

Dave Kemp





> From: thayes(_at_)netscape(_dot_)com (Terry Hayes)
>
> Thierry Van Doninck wrote:
>
> > Hi,
> >
> > When I use Netscape Communicator as a mail client, I can 'get' the
certificates of my correspondents from a ldap directory.
> > Netscape however looks for a userSMIMEcertificate instead of a
userCertificate.
> >
> > Which is the correct attribute to publish Certificates in ?
> > I would think that using 1 certificate for all applications would be a lot
more user friendly.
> >
>
> The userSMIMEcertificate attribute contains additional information about the
SMIME recipient, in particular the preferred
> encryption algorithms. Without this information, the message sender has to
guess what algorithms would be acceptable.  This is
> why Communicator used userSMIMEcertificate.
>
> More recent versions of SMIME support for Communicator (in particular the PSM
security add-on) supports retrieval of the
> certificates from both attributes in the directory.  In addition, PSM has
support for automatically retrieving certificates
> from your primary directory (address book) without manual intervention.
>
> Terry Hayes
> thayes(_at_)netscape(_dot_)com