Re: certificates and CRLs - access and storage

dave horvath (
Mon, 14 Oct 1996 11:49:15 -0400

> Has anyone out there had experience in storing
> X.509 certificates/certificate revocation lists on a slapd server? Are
> there any pitfalls that we should know about? What are the problems with
> using LDAP to retrieve certificates/CRLs?
> Any helpful hints/pointers gratefully received!

We have NOT been using sldapd, but here are some
general problem areas we encountered with LDAP V2 and QUIPU
implementations :

o String encoding -- be careful in LDAP V2 when storing
signed items that are string encoded not to mistakenly
modify the Cert/CRL in the syntax handler either on the
client or server side.
This could ultimately cause a problem during signature
verification by producing a different DER encoding.
We ran into everything from uppercasing of country
codes within DNs to changing of UTC times in the
LDAP/DSAs we were using.

You should really avoid string handling of signed items
if possible by sending the actual ASN.1 over the wire.

LDAP V3 has the ;binary qualifier to enable that.

o Watch the UTC time encodings. We had one implementation
that was dropping seconds.

Dave Horvath
Chromatix, Inc.

> Tim Dean
> DRA-Malvern
> UK