Re: which usercertificate attribute
David P. Kemp <dpkemp <at> missi.ncsc.mil>
2000-04-07 17:22:19 GMT
The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.
RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs. It mentions X.500 (presumably meaning
DAP) and DNS, but says:
"At a minimum, for initial S/MIME deployment, a user agent
could automatically generate a message to an intended recipient
requesting that recipient's certificate in a signed return
For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment. At that time, it should
also provide a little more guidance on interoperability. I suggest:
"At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
the LDAP v2 Schema (RFC 2587)."
The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory. Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).
> From: thayes <at> netscape.com (Terry Hayes)
> Thierry Van Doninck wrote: