On Mon, 30 Jan 1995, warwick (w.s.) ford wrote:
My local LDAP expert explains it as follows. You don't need a binary
encoding.
From the character-encoded fields you reconstruct the certificate, DER-encode
it, and check the signature on the DER encoding. This is not, in fact, much
different to the way you would handle a BER-encoded certificate - you need to
parse and re-encode in DER before checking.
It is a little different. When the certificate is converted into a
string, the subject and issuer DN's lose their string tags. When you
reconstruct it, should you use PrintableString, T61String, NumericString,
IA5String, or what? Try every possible combination until the signature
verifies?
I'd still feel a lot happier if I could just get the thing direct. Less
chance of a slightly non-standard LDAP server ruining your whole day with
a dodgy conversion algorithm. But I'll give it a go as-is for now. I'm
more interested in whether LDAP is a good candidate for a lightweight CA
protocol or not, and identify both its strengths and weaknesses for PEM's
purposes. I see the lack of a binary request mechanism as one such
weakness, but maybe not an unfixable one.
Cheers,
Rhys.
--
Rhys Weatherley, Queensland University of Technology, Brisbane, Australia.
E-mail: rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au "net.maturity is knowing
when NOT to followup"