On Sun, 29 Jan 1995, Mr Rhys Weatherley wrote:
For what it's worth, I'm doing a few experiments with LDAP at the moment
to see just how useful X.500 is for PEM's purposes.
After looking at the LDAP RFC's a little more, I've come to the conclusion
that it isn't very useful at all as a candidate lightweight CA access
protocol in its current form. Certificates are returned using a string
encoding. Except perhaps for simple v1 certificates, this means that the
signature on the certificate won't verify once the string encoding has
been de-mangled. I hold out little hope that v3 certificates would
survive such mangling. I can't as yet see a way to force LDAP to return
binary values. If I've missed anything, LDAP experts are welcome to point
it out to me.
Strike 1 against the X.500 directory Bob. :-) (Note: this is a _technical_
strike, not a fuzzy "I hate OSI" strike).
It may be possible to break LDAP slightly to make it return binary values
for certificates and CRL's. That would require liasing with the working
group responsible for LDAP to ensure we don't produce something that will
break existing LDAP clients and servers. It will also require
modifications to existing LDAP servers, which may not be easy to
accomplish.
I'm now trying to chase up information on implementing DAP over TCP/IP.
Pointers will be appreciated. I hope to God I don't need to implement the
entire OSI stack to use DAP, or Strike 2 will be imminent. :-(
Cheers,
Rhys.
References: RFC 1487 and RFC 1488.
--
Rhys Weatherley, Queensland University of Technology, Brisbane, Australia.
E-mail: rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au "net.maturity is knowing
when NOT to followup"