[EMAIL PROTECTED] wrote:
> "William M. Perry" wrote:
> > But this code is for use when _all_ you have is their
> > certificate and you
> > need to verify it against an LDAP directory. Unfortunately,
> > you cannot
> > search binary attributes in LDAP, otherwise you could just
> > search on the
> > certificate.
>
> One solution I've seen is to calculate an md5 of the certs and
> use that for identification aka. in a multiple CA environment,
> each cert is stored on the ldap server with an md5 of the CA
> and an md5 of the cert. Other entries would be the contents of
> the DN, validity period, cert status, pem and der encoded cert.
> Works wuite well, and could IMO be a resonable alternative to the
> current cert database used by openssl.
Seems like a bit of a burden on the LDAP administrator unless their CA
automatically populated all these entries. This will be the ideal eventually,
but I think that is still quite a few months out before everybody has a CA that
can do this.
The LDAP standard schema has object types for CAs and attributes for their
certs and all that fun stuff. Theoretically, you could make the mechanism for
finding CAs and verifying certificates completely automatic. Basic steps would
be:
1) Discover the LDAP server (using service discovery?)
2) Discover the roots of the LDAP server (most LDAP servers expose this if you
query the 'top' of the tree)
3) Search for (objectClass=certificateAuthority) in each root, and extract
their public key and any other information we can find out about them.
This could would actually be _very_ simple, except for the service discovery
part.
-bp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
