Alessandro Vesely wrote:
> "William M. Perry" wrote:
> > But this code is for use when _all_ you have is their certificate and you
> > need to verify it against an LDAP directory. Unfortunately, you cannot
> > search binary attributes in LDAP, otherwise you could just search on the
> > certificate.
>
> Then why dooes one store a certificate in binary? If it is base64
> encoded (including the -----BEGIN/END-----).....
Because the standard 'userCertificate' attribute is supposed to be the DER
encoded binary representation. That's in the 'standard schema for LDAP v3' RFC
- can't remember the # off the top of my head right now.
> May I ask how do you find which LDAP server are you going to query?
> (I'd guess, on a support-what-you-do basis, it should be the issuing
> CA's server.)
The user configures it right now. Right now you can only support a single LDAP
server, but I want to make it so that you can specify per-issuer configs. If
there was no config for a specific issuer, then you would just not do anything
and let the other checks determine the fate of the cert.
-bp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
