pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using X.500 lookup protocols for PEM

1995-02-07 20:20:00
from [Jueneman] [Permanent Link] 
Tim,


LDAP uses the string representation of distinguished names defined by
RFC 1485.  This representation preserves the attribute types associated
with each RDN component.  This representation of a DN should not be
confused with the "user friendly naming" specification, which in most
cases omits the attribute names.  An example LDAP dn might be

      cn=Tim Howes, o=University of Michigan, c=US

Such a DN should be fully reconstructable into its original form, as
carried by DAP, so one should be able to reconstruct the original DER
encoded version of the certificate and verify the signature (as Warwick
has described, I believe).


I have not read RFC 1485, but I would be quite curious to know how some of the
other, perhaps less commonly cited attributes would be conveyed. If the only
support provided is for the attributes in X.520, that will surely not be
sufficient. for example, does the RFC support the attribute types defined by
the NADF's Standing Dcouments?

What will the impact be of the X.509 version 3 format? Will LDAP be able to
retireve and display, much less deliver to an application, such a certificate,
complete with both its manadatory and optional extension fields?

A more general question would be how private attributes defined by PRDMDs will
be represented and retrieved, in particular before support for the '93
attribute syntax description function (I can't remember the precise atribute
name right now) becomes widely implemented?


So, the summary is that LDAP should work ok for storing and retrieving
verifiable certificates.  At least, this was certainly the intention
when it was designed!  If there is some flaw that makes this impossible,
we would certainly want to fix it.                       -- Tim


I guess I ought to ask the same questions of Peter Williams regarding MDAP,
which I had never heard of before his recent reference.

On the other hand, even if LDAP is capable of retrieving and reconstructing an
X.509 certificate, is this the best or recommended way fo performing this
function? I'd be interested in hearing a brief explanation of the difference
between LDAP and DAP, especially DAP over TCP/IP.

Bob

--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603 
Voice: 1-617-466-2820
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPRA Functions, Jueneman
Next by Date:  Re: IPRA Functions, Peter Williams
Previous by Thread:  Re: Using X.500 lookup protocols for PEM, Tim Howes
Next by Thread:  Re: Is secure communications required?, Jueneman
Indexes:  [Date] [Thread] [Top] [All Lists]