Re: ldap certificate problems (bugs?)

Eric Rosenquist (
Mon, 30 Jan 1995 08:30:01 -0500 (EST)

> The Problem:
> What is the textual syntax of an ldap certificate supposed to be like?

It's supposed to be a fixed version of rfc1488, which, as you pointed out,
is missing some rather important fields. I submitted the certificate code
last year when I was with BNR - it's the code BNR / Northern Telecom uses
in their Entrust security product. The folks at U-Mich rolled it into the
main distribution, but they had another group somewhere in Europe that also
submitted rfc1488 certificate fixes. I think U-Mich tried to simply make a
few minor changes in the code I submitted so that it matched the syntax
being used by the other group, but it looks like they changed only the
print routine and forgot the parse routine.

> the last two syntaxes seem to assume that two of the algoritms in an X.500
> Certificate should be identical. Is this always a valid assumption?

I don't think there's anything in X.509 that explicitly requires that the
two algorithms are the same, but it is certainly implied that they are the
same and it is hard to imagine why you'd want a certificate (or any other
signed ASN.1 structure) to have a different sigAlgId and algId. Most
certificate-verifying applications would probably reject such a certificate
as invalid.

Eric Rosenquist |Phone : (613) 592-4924 |"Who would have guessed
Enterprise Solutions Ltd.|Fax : (613) 591-3485 | reading and writing
94 Rowe Drive |Internet:| would pay off!"
Kanata Ont CANADA K2L 3Y9|Opinions: are my own | -- Homer Simpson