Dieter Kluenter wrote: > Howard Chu <[email protected]> writes: > >> Jelle de Jong wrote: >>> On 24/07/09 18:22, Dieter Kluenter wrote: >>>> Jelle de Jong<[email protected]> writes: >>>> >>>>> Brian A. Seklecki wrote: >>>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote: >>>>>>> Hello everybody, >>>> [...] >>>>> Hi BAS, thank you for helping, I gathered some more information I hope >>>>> it can help to see what is going on, I can't make anything from the >>>>> debug output of the openldap server >>>>> >>>>> http://debian.pastebin.com/m56aaee1e >>>> The powercraft/nl-certificate is misssing the X509v3 Authority Key >>>> Identifier > >>> So that was an answer I was not expecting :D. So I contacted the >>> CACert.org people that are my root authority for my certs, and they >>> indeed do not support X509v3. I am creating a feature bug for this at >>> there bugtracker, however isn't there a way for openldap to not use the >>> X509v3 extensions? >> Pretty sure the extensions are not required. However, X.509v1 certs >> are more easily spoofed.
Yupp. > If a signing keyid is not required, are there other methods to > describe and verify the certificate chain? Yes, off course! RFC 5280, section 4.1.2.4.: Certificate users MUST be prepared to process the issuer distinguished name and subject distinguished name (Section 4.1.2.6) fields to perform name chaining for certification path validation (Section 6). Ciao, Michael.
