Re: [Openca-Users] LDAP problems

Wed, 03 Aug 2005 11:02:07 -0700 

Michael Bell wrote:


Diego de Felice wrote:


 Resolved another problem! If the CA DN contains "emailAddress", LDAP
can complain about a "FAILED (error 17: LDAP-add failed: emailaddress:
attribute type undefined)" (I think it also complains for normal
certificates). To resolve this, simply add to openca.schema (in the
LDAP schema directory), these lines:

attributetype ( 1.2.840.113549.1.9.1 NAME 'emailAddress'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
The complete definition is the following one but it is a little bit surprising that such a common attribute type is missing. 

# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
attributetype ( 1.2.840.113549.1.9.1
        NAME ( 'email' 'emailAddress' 'pkcs9email' )
        DESC 'RFC2459: legacy attribute for email addresses in DNs'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
I read RFC 3280 and it looks like emailAddress is fully deprecated and rfc822Mailbox (short 'mail') MUST be used. I will fix it for HEAD but can we fix it for 0.9.2 branch too?
There is a clash between IETF-Standardization, where pkix and LDAP People prefer the mail attribute, which is also incorporated in inetOrgPerson (RFC 2798), and between the practice of the PKI vendors (eg. RSA in nonstandard but informational RFC 2985 on PKCS#9) that use "email".
OpenCA should IMO be able to support both at least until the IETF standard has won this dispute. 

Cheers,

Peter



Michael




--
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                phone: +49 7071 2970336
Wilhelmstr. 106 Fax: +49 7071 295114 D-72074 Tübingen email: [EMAIL PROTECTED] 
Germany                                 Web:   www.daasi.de

Directory Applications for Advanced Security and Information Management
_______________________________________________________________________



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to